February 7, 2024 at 04:29PM
Ov3r_Stealer, a new password-stealing malware, spreads through fake job ads on Facebook, leading victims to a Discord URL where a PowerShell script downloads the malware payload. It employs various techniques like malicious file execution, HTML smuggling, and DLL sideloading to establish persistence and steal data every 90 minutes, sending it to a Telegram bot. Trustwave suggests links to specific usernames in software cracking forums and notes code similarities to Phemedrone, indicating potential threat actor origins.
Based on the meeting notes, the key takeaways are as follows:
1. Ov3r_Stealer, a new password-stealing malware, is spreading through fake job advertisements on Facebook with the aim of stealing account credentials and cryptocurrency.
2. The malware infection chain starts with victims being lured through a fake job ad on Facebook, leading them to a Discord URL where a PowerShell script downloads the malware payload.
3. The malware employs various loading methods, such as malicious Control Panel files, weaponized HTML files, LNK files, and SVG files to execute its payload.
4. The final payload consists of three files: a legitimate Windows executable, a DLL for DLL sideloading, and a document containing the malicious code.
5. Ov3r_Stealer attempts to steal data from a wide range of apps and directories, including cryptocurrency wallet apps, web browsers, browser extensions, Discord, and Filezilla.
6. The stolen data is sent to a Telegram bot every 90 minutes, including the victim’s geolocation information and a summary of the stolen data.
7. Trustwave has found links between the exfiltration Telegram channel and specific usernames related to software cracking and has noted code similarities between Ov3r_Stealer and Phemedrone, a C# stealer.
8. Demo videos of the malware’s operation have been located, possibly indicating the threat actors’ attempts to attract buyers or collaborators.
Let me know if you need further information or assistance with any other tasks.