A new strain of malware, called “Ov3r_Stealer,” is currently spreading through Facebook via fake job ads and accounts, and is proving to be quite a formidable threat. This malicious software is designed to steal a wide range of data from unsuspecting victims, and it has various methods of execution to achieve its nefarious goals.
Researchers from Trustwave SpiderLabs recently discovered this novel form of malware and have shed some light on the mechanics behind it. According to their findings, Ov3r_Stealer has the capability to exfiltrate a wide range of sensitive data, including geolocation based on IP, hardware information, passwords, cookies, credit card details, browser extensions, crypto wallet information, Office documents, and even antivirus product information. Once this data is stolen, it is sent to a Telegram channel being monitored by the threat actors.
The researchers initially came across the malware in early December, where it was being distributed through a job advertisement for an account manager position on Facebook. Subsequently, they also discovered that the actors behind the malware were using a variety of scams on Facebook, including the creation of fake accounts, to propagate the malware.
What sets Ov3r_Stealer apart from other forms of malware is its range of execution methods. In addition to using PowerShell, it can also be executed on a victim’s machine through HTML smuggling, SVG image smuggling, and .LNK shortcut files masquerading as text documents. This multi-pronged approach makes it a challenging threat to prevent and detect.
The researchers delved even further into the origins of Ov3r_Stealer and found a complex web of communication among the threat actors behind the malware. They uncovered various pseudonyms, communication channels, and data repositories that provided insight into the inner workings of the malicious operation. It became evident that Ov3r_Stealer is the product of multiple threat actors who collaborate via various channels and platforms.
Despite the data being stolen, it remains unclear how the threat actors use this information. Possibilities include selling it on the dark web or using it for phishing attacks. The researchers also revealed that Ov3r_Stealer can be used to deliver other types of malware or post-exploit tools, such as ransomware.
The execution methods employed by Ov3r_Stealer are sophisticated and diverse. From using Windows CPL files to malicious HTML and SVG files, the malware is adept at infiltrating victims’ systems and delivering its payload. Once executed, it establishes persistence through various means and continuously exfiltrates data from the compromised system.
While widespread campaigns using Ov3r_Stealer have not been observed, the researchers emphasize that the threat posed by this malware is ongoing. They believe that it is continually evolving and could be utilized in future campaigns. They also provided a comprehensive list of indicators of compromise to help organizations identify the malware in their environment.
To mitigate the risks associated with Ov3r_Stealer, Trustwave recommends that organizations implement robust security awareness programs to help employees identify malicious campaigns on social media and other attacker strategies. Additionally, regular application and service audits, up-to-date patching, and continuous threat hunting are essential to prevent and detect compromises before they cause significant damage.
In conclusion, Ov3r_Stealer represents a novel and complex threat that is poised to cause significant harm. Its multifaceted execution methods and the ongoing development behind it make it a formidable challenge for security professionals. By remaining vigilant and implementing robust security measures, organizations can help protect themselves from this insidious malware.