The novel thief malware called “Ov3r_Stealer” is making the rounds on Facebookspreading through job postings and accounts on social media platform and using various execution methods to steal mountains of data from unknowing victims.
According to researchers, the malware by design exfiltrates specific types of data such as geolocation (IP-based), hardware information, passwords, cookies, credit card information, autofills, browser extensions, crypto wallets, documents of Office and information about antivirus products. by Trustwave SpiderLabs. Send the information to a Telegram channel monitored by threat actors.
Searchers first discovered the thief in early December. It was circulated via a job advert on Facebook for an account manager position, they revealed in a blog post AND relationship published this week. Later, they discovered that the malware’s authors also use Facebook-based scams, including creating fake accounts, to spread the malware.
Ultimately, the weaponized links provided via the ad lead to a malicious Discord content delivery URL, which executed the thief using a PowerShell script masquerading as a Windows Control Panel (CPL) binary to download the malware, below form three files from a GitHub. place.
But what really sets Ov3r_Stealer apart is having multiple execution methods. In addition to the PowerShell vector, Ov3r_Stealer can also be executed on the victim’s computer via HTML smuggling, Smuggling SVG imagesand .LNK link files disguised as harmless text documents.
Down the cyber attacker’s rabbit hole
Once researchers followed the stolen data on Telegram, they discovered a rather complex origin story behind Ov3r_Stealer, as malware appears to have a number of threat actors behind it conspiring across multiple communication channels and platforms.
Specifically, researchers have uncovered various aliases, communication channels, and archives for the stolen data that hold clues to who is behind it and how they work.
“Aliases like ‘Liu Kong’, ‘MR Meta’, MeoBlackA and ‘John Macollan’ have been found in groups like ‘Pwn3rzs Chat’, ‘Golden Dragon Lounge’, ‘Data Pro’ and ‘KGB Forums’, where many “Researchers,” threat actors, and curious people gather, meet, and exchange hacks, malware, and cracked software every day,” according to the report.
It is not known exactly how attackers use the data once stolen, but it is possible to sell it or use it for phishing. Additionally, Ov3r_Stealer can also be used modularly as a dropper for other malware or post-exploit tools, up to and including ransomware, the researchers said.
The various execution strategies of Ov3r_Stealer
As mentioned, once the victim is compromised, the thief uses several unique execution methods; the researchers observed one and collected a few others from the sample code. One loader used Windows CPL files, typically used for system settings in Windows, to run a remote PowerShell script to download the three malware files.
Another method indicated by the sample data is HTML smuggling, which uses a weaponized HTML file, CustomCursor.html, to load the CustomCursor.zip file that includes the malware files.
A third method of execution is via a link file (.LNK). The victim is presented with a file disguised as a typical text file called Attitude_Reports.txt, located inside a zip archive. The actual file inside the zip archive, however, is a malicious .LNK file called Attitude_Reports.txt.lnk. Once opened, it will redirect the victim to the GitHub repository, like the CPL loader does, to download the actual payload.
Attackers also use a technique called SVG smuggling to execute the file in a method that exploits the file WinRAR Code Execution Vulnerability (CVE-2023-38831). This method works similarly to HTML smuggling, except that the malicious files are embedded in a vector graphics (SVG) file. This redirects to a “Copyright_Report.svg” file which, when opened, embeds and loads a .RAR file that contains a Windows .LNK link file to download a PowerShell script to deliver the payload.
The final payload is finally deployed in three nested files: WerFaultSecure.exe, a legitimate Windows executable; Wer.dll, a malicious file loaded by WerFaultSecure; and Secure.pdf, which contains malicious code that will be loaded by Wer.dll.
Once executed, the malware will establish persistence by copying its files to the C:\Users\Public\Libraries\Books folder and creating a Windows scheduled task called “Licensing2” that runs every 90 minutes to ensure continuous exfiltration of data.
A malware ready to become big
While Trustwave has not yet seen any large-scale campaigns using this malware, researchers believe it is in continuous development and remains an existing threat. In their report they included a comprehensive list of indicators of compromise (IoC) to help organizations identify malware in their environment.
“Since Ov3r_Stealer is being actively developed with different loading techniques, we may see it possibly sold or used in other campaigns in the future,” according to the report.
To avoid compromises or mitigate Ov3r_Stealer attacks, Trustwave recommended that organizations implement “active and engaging” solutions security awareness programs to help people spot malicious social media campaigns and other attacker strategies.
Organizations should also use regular application and service audits and baselines, as well as practice up-to-date patching on applications to mitigate threats, the researchers added. Furthermore, they should continuously threat hunting across their environments to spot undetected compromises before they have time to cause damage, they added.