A novel stealer malware called “Ov3r_Stealer” is making the rounds on Facebook, spreading through job ads and accounts on the social media platform, and using various execution methods to steal reams of data from unwitting victims.
The malware by design exfiltrates specific types of data such as geolocation (based on IP), hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according to researchers from Trustwave SpiderLabs. It sends the info a Telegram channel being monitored by the threat actors.
The researchers first discovered the stealer in early December. It was being spread via a Facebook job advertisement for an account manager position, they revealed in a blog post and report published this week. Later, they discovered that the actors behind the malware also use Facebook-based scams — including the creation of fake accounts — to spread the malware.
Eventually, weaponized links delivered through the ad lead to a malicious Discord content-delivery URL, which executed the stealer using a PowerShell script masquerading as a Windows Control Panel (CPL) binary to download the malware, in the form of three files from a GitHub site.
But what really sets Ov3r_Stealer apart is having several execution methods. In addition to the PowerShell vector, Ov3r_Stealer also can be executed on a victim’s machine via HTML smuggling, SVG image smuggling, and .LNK shortcut files masquerading as innocuous text documents.
Down the Cyberattacker Rabbit Hole
Once researchers followed the stolen data to Telegram, they found a rather complex origin story behind Ov3r_Stealer, as the malware appears to have a range of threat actors behind it who conspire via multiple communication channels and platforms.
Specifically, the researchers uncovered various pseudonyms, communication channels, and repositories for the stolen data that hold clues to who’s behind it and how they work.
“Aliases such as ‘Liu Kong,’ ‘MR Meta,’ MeoBlackA, and ‘John Macollan’ were found in groups like ‘Pwn3rzs Chat,’ ‘Golden Dragon Lounge,’ ‘Data Pro,’ and ‘KGB Forums,’ where many ‘researchers,’ threat actors, and curious folk gather, meetup, and exchange hacks, malware, and cracked software daily,” according to the report.
It’s unknown exactly how attackers use the data once it’s stolen, but possibilities including selling it or using it for phishing. To boot, Ov3r_Stealer can also be used in a modular way as a dropper for other malware or post-exploit tools, up to and including ransomware, the researchers said.
Ov3r_Stealer’s Various Execution Strategies
As mentioned, once a victim is compromised, the stealer uses several unique execution methods; the researchers observed one and gleaned a few others from sample code. One loader used Windows CPL files — which are generally used for system settings within Windows — to run a remote PowerShell script to download the malware’s three files.
Another method indicated by sample data is through HTML smuggling, which uses a weaponized HTML file, CustomCursor.html, to load the CustomCursor.zip file that includes the malware files.
A third execution method is through a shortcut file (.LNK). The victim is presented with a file masquerading as a typical text file called Attitude_Reports.txt, located within a zip archive. The actual file within the zip archive, however, is a malicious .LNK file called Attitude_Reports.txt.lnk. Once opened, it will redirect the victim to the GitHub repository, as the CPL loader does, to download the actual payload.
Attackers also use a technique called SVG smuggling to execute the file in a method that exploits the WinRAR Code Execution Vulnerability (CVE-2023-38831). This method works similarly to HTML smuggling, except that the malicious files are embedded within a vector graphics file (SVG). This redirects to a “Copyright_Report.svg” file that, once opened, embeds and loads a .RAR file that contains a Windows .LNK shortcut file to download a PowerShell script to deliver the payload.
That final payload is ultimately delivered in three files that are nested: WerFaultSecure.exe, a legitimate Windows executable; Wer.dll, a malicious file that WerFaultSecure loads; and Secure.pdf, which contains malicious code that Wer.dll will load.
Once executed, the malware will establish persistence through the copying of its files to the C:UsersPublicLibrariesBooks folder and the creation of a Windows scheduled task called “Licensing2” which runs every 90 minutes to ensure continuous data exfiltration.
A Malware Poised to Go Big
Though Trustwave has not yet seen wide-ranging campaigns using this malware, the researchers believe it remains under continual development and continues to pose an existing threat. They included a comprehensive list of indicators of compromise (IoCs) in their report to help organizations identify the malware in their environment.
“As Ov3r_Stealer has been actively developed with multiple loader techniques, we may see this one eventually be sold or used in other campaigns in the future,” according to the report.
To avoid compromise or mitigate attacks by Ov3r_Stealer, Trustwave recommended that organizations implement “active and engaging” security awareness programs to help people spot malicious campaigns on social media and other attacker strategies.
Organizations also should use regular application and service audits and baselining, as well as practice up-to-date application patching to mitigate threats, the researchers added. Further, they should continuously hunt threats throughout their environments to pick up undetected compromises before they have time to do damage, they added.