A brand new malware referred to as Ov3r_Stealer was discovered to be supposed for stealing cryptocurrency wallets and passwords and then sending them to a Telegram channel that the risk actor maintains.
Recognized early in December, the malware was unfold by way of a Fb commercial for an account supervisor place.
The person was directed by way of weaponized hyperlinks to a malicious Discord content material supply URL, which triggered the assault’s execution section.
“The malware is designed to exfiltrate particular kinds of information equivalent to GeoLocation (based mostly on IP), {hardware} information, passwords, cookies, bank card info, auto-fills, browser extensions, crypto wallets, Workplace paperwork, and antivirus product info,” SpiderLabs shared with Cyber Safety Information.
Trustifi’s Superior risk safety prevents the widest spectrum of refined assaults earlier than they attain a person’s mailbox. Strive Trustifi Free Risk Scan with Refined AI-Powered E-mail Safety .
Fb Adverts Delivering Password Stealing Malware
A weaponized PDF file is used for the malware’s first entry and transmission. The file impersonates a shared file on OneDrive. A easy clickable OneDrive hyperlink was discovered on a faux Fb profile purporting to be Amazon CEO Andy Jassy.
One other occasion was seen making use of for a Digital Promoting place by a Fb commercial.
Upon deciding on the “Entry Doc” hyperlink on the Fb web page, a file ending in .url is downloaded to provoke the next section.
SpiderLabs at Trustwave discovered a faster option to attain the [.url] within the job notification for “pink ladies’s journal” on Fb by using the PDF file’s info.
The malware was downloaded in three recordsdata from a GitHub web site using a Powershell script that was run within the sufferer’s surroundings and pretended to be Home windows Management Panel binary.
Researchers noticed further methods to put in the malware onto the system all through the malware household examine. These strategies included HTML smuggling, SVG smuggling, and LNK file masquerading.
After the malware’s three recordsdata are loaded and launched on the system, a Scheduled Job is used as a persistence mechanism to make the malware run each ninety minutes.
After the information is acquired, it’s exfiltrated to a Telegram channel that the risk actor displays. All of this information would possibly find yourself within the fingers of the best bidder, or the malware would possibly modularize after which be used as a dropper for added malware or post-exploit instruments, all the way in which as much as ransomware.
Researchers have discovered putting similarities between the Phemedrone stealer malware and the Ov3r_Stealer malware.
Given the newest experiences of this malware, it’s potential that Phemedrone was repurposed and given the brand new identify Ov3r_Stealer. Phemedrone is written in C#, which is the first distinction between the 2.
The group found quite a few aliases, communication channels, and repositories throughout their frantic seek for info on the risk actors. Aliases like “Liu Kong,” “MR Meta,” “MeoBlackA,” and “John Macollan” have been found in boards like “Pwn3rzs Chat,” “Golden Dragon Lounge,” “Information Professional,” and “KGB Boards,” the place an everyday gathering of “researchers,” risk actors, and inquisitive individuals takes place.
Mitigation
- Interact Safety Consciousness Applications
- Common Utility and Service audits and baselining
- Utility patching
- Run steady Risk Searching by your environments for undetected compromises.