Rewterz Threat Alert – Ov3r_Stealer Malware Exploits Facebook Ads to Deploy Password-Stealing Threat – Active IOCs

Severity

High

Analysis Summary

A new malware named Ov3r_Stealer has emerged, primarily spreading through deceptive job advertisements on Facebook. The malware targets users seeking management positions, leading them to a Discord URL. Once there, a PowerShell script is employed to download the Ov3r_Stealer malware payload from a GitHub repository. Despite using well-known tactics, the threat is significant due to Facebook’s widespread popularity.

The infection chain begins with a fake job ad on Facebook, inviting users to apply for an Account Manager position. Clicking on the ad redirects users to a Discord CDN, triggering the download of a file named ‘pdf2.cpl.’ Disguised as a DocuSign document, it is, in fact, a PowerShell payload exploiting the Windows Control Panel file for execution.

Researchers discovered this malware, identified four distinct malware loading methods: malicious Control Panel files, weaponized HTML files using base64-encoded ZIP files, LNK files masquerading as text files, and SVG files with embedded .RAR files (SVG smuggling). The final payload comprises three files: a legitimate Windows executable (WerFaultSecure.exe), a DLL for DLL sideloading (Wer.dll), and a document containing malicious code (Secure.pdf).

Once executed, Ov3r_Stealer establishes persistence by creating a scheduled task named “Licensing2,” running every 90 minutes. The malware targets a variety of applications, including cryptocurrency wallets, web browsers, browser extensions, Discord, Filezilla, and others. It inspects the system services configuration in the Windows Registry, searches for document files in local directories, and exfiltrates data every 90 minutes to a Telegram bot, including geolocation information and a summary of stolen data.

“At a high level, this malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors. The tactics and techniques to drop the malware and the code itself is not unique”, they mentioned.

Researchers also found links between the exfiltration Telegram channel and specific usernames in forums related to software cracking. Additionally, code similarities were identified between Ov3r_Stealer and Phemedrone, a C# stealer, suggesting that Phemedrone might have served as a basis for the new malware. They discovered demo videos of the malware’s operation, potentially indicating efforts by threat actors to attract buyers or collaborators. The nationality of the threat actor remains inconclusive, as the videos were posted by accounts using Vietnamese and Russian languages, alongside the French flag.

Impact

• Credential Theft
• Sensitive Information Theft
• Cryptocurrency Wallet Theft

Indicators of Compromise

MD5

• 58c966c06d908017264506dbe2dd7e45
• 5d39a9e99b58faf99cae275723c9168e
• a8fd240af0ab05e5496afb0d6df0223c
• 48a2fca4599cd29531cb62cfb5534478
• 477c0ed261ad6db5eb250b0efccf963a
• 1210c904bb5986a63605a29cc54c47d9

SHA-256

• 69941417f26c207f7cbbbe36ce8b4d976640a3d7f407d316932428e427f1980b
• 7c0a1e11610805bd187ef6e395c8fa31c1ae756962e26cdbff704ce54b9e678a
• 70c23213096457df852b66443d9a632e66816e023fdf05a93b9087ffb753d916
• 6bd8449de1e1bdd62a86284ed17266949654f758e00e10d8cd59ec4d233c32e5
• a841cd16062702462fdffdd7eef9fc3d88cde65d19c8d5a384e33066d65f9424
• 22236e50b5f700f5606788dcd5ab1fb69ee092e8dffdd783ac3cab47f1f445ab

SHA-1

• 6d0820a24a78d4f5699f9c25c02f1de3ac834fb6
• 41d186163cd74d39e89cf06fa4f3a06d7fa88f6b
• da9003182528580b7104458c75f561f39d04d101
• ff5e2b1a310c19e278496900b7dd2b2689103f4c
• 6149acf6575b7230710d111c9c46d61d6b62cad5
• 334430f26a460035e8b9634c800dee623402da7f

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy security solutions that utilize behavioral analysis and anomaly detection to identify unusual patterns of activity that may indicate the presence of malware.
• Enforce multi-factor authentication for sensitive accounts, including cryptocurrency wallets and other financial services, to add an extra layer of security against unauthorized access.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.