Pretend Fb Job Adverts Spreading ‘Ov3r_Stealer’ to Steal Crypto and Credentials

Feb 06, 2024NewsroomSocial Engineering / Malvertising

Crypto and Credentials

Risk actors are leveraging bogus Fb job commercials as a lure to trick potential targets into putting in a brand new Home windows-based stealer malware codenamed Ov3r_Stealer.

“This malware is designed to steal credentials and crypto wallets and ship these to a Telegram channel that the risk actor screens,” Trustwave SpiderLabs stated in a report shared with The Hacker Information.

Ov3r_Stealer is able to siphoning IP address-based location, {hardware} information, passwords, cookies, bank card data, auto-fills, browser extensions, crypto wallets, Microsoft Workplace paperwork, and a listing of antivirus merchandise put in on the compromised host.

Whereas the precise finish objective of the marketing campaign is unknown, it is seemingly that the stolen data is obtainable on the market to different risk actors. One other chance is that Ov3r_Stealer might be up to date over time to behave as a QakBot-like loader for extra payloads, together with ransomware.


The place to begin of the assault is a weaponized PDF file that purports to be a file hosted on OneDrive, urging customers to click on on an “Entry Doc” button embedded into it.

Trustwave stated it recognized the PDF file being shared on a pretend Fb account impersonating Amazon CEO Andy Jassy in addition to through Fb advertisements for digital promoting jobs.

Customers who find yourself clicking on the button are served an web shortcut (.URL) file that masquerades as a DocuSign doc hosted on Discord’s content material supply community (CDN). The shortcut file then acts as a conduit to ship a management panel merchandise (.CPL) file, which is then executed utilizing the Home windows Management Panel course of binary (“management.exe“).

The execution of the CPL file results in the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository to in the end launch Ov3r_Stealer.

Facebook Job Ads

It is price noting at this stage {that a} near-identical an infection chain was not too long ago disclosed by Development Micro as having put to make use of by risk actors to drop one other stealer known as Phemedrone Stealer by exploiting the Microsoft Home windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS rating: 8.8).

The similarities lengthen to the GitHub repository used (nateeintanan2527) and the truth that Ov3r_Stealer shares code-level overlaps with Phemedrone.

“This malware has not too long ago been reported, and it could be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” Trustwave stated. “The primary distinction between the 2 is that Phemedrone is written in C#.”


The findings come as Hudson Rock revealed that risk actors are promoting their entry to regulation enforcement request portals of main organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.

Additionally they observe the emergence of a class of infections known as CrackedCantil that take leverage cracked software program as an preliminary entry vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a supply mechanism for data stealers, crypto miners, proxy botnets, and ransomware.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles