iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have spotted a new info-stealing campaign being spread via social media advertising.
A new form of info-stealing malware was spotted circulating in the wild last December.
Ov3r_Stealer, as discovered by researchers at Trustwave’s SpiderLabs, was seen spreading itself via Facebook advertisements that included a link to a “weaponised” PDF in a clickable OneDrive link.
The ads include one featuring Amazon chief executive Andy Jassy and another showcasing a job in digital advertising. Once clicked, the PDF links to a malicious Discord URL, which in turn downloads a fake DocuSign document.
“Generally, Windows would not allow this activity without some warning if the file was an executable binary, such as an .exe or .vbs, but since this is a Windows Control Panel (.cpl) file, Windows will allow this to occur without warning,” SpiderLabs said in a report on the new malware.
SpiderLabs also notes that since this malware relies upon Windows-based assets, it is likely limited to targeting only Windows devices.
The execution phase of the malware’s delivery features one of four distinct loaders. Firstly, a Windows Control Panel file runs a remote PowerShell script that installs a mix of legitimate and malicious files before deleting the archive they’re installed from. A second loading method uses a weaponised HTML file, while a third uses a shortcut .lnk file masquerading as a text file to download the malicious payload.
Lastly, the researchers observed a fourth loader using a vector graphics file with an embedded .rar that does the payload downloading.
The final payload consists of three files, two malicious and one legitimate, that run every 90 minutes to maintain persistence on the affected device.
Ov3r_Stealer itself is designed to gather a large amount of data, ranging from the details of several popular cryptocurrency wallets, web data, browser extensions such as password managers and authenticators, FTP credentials, and a lot more. Once the data is gathered, it’s packaged up and sent to a Telegram bot.
Trustwave’s researchers were also able to link the malware users on two popular hacking and cracking forums, where Ov3r_Stealer was actually being demoed – either to solicit sales or to show off. The threat actor’s nationality is unknown for certain, but various files and Telegram posts suggest a link to Russian, Vietnamese, and French speakers.
“Trustwave has not seen wide-sweeping campaigns using this malware; however, it was under continual development and likely still is,” Trustwave said.
“As Ov3r_Stealer has been actively developed with multiple loader techniques, we may see this one eventually be sold or used in other campaigns in the future.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
