If you see an ad on Facebook advertising a job, there is a decent chance that it might actually be a way to trick you into downloading a malware called Ov3r_Stealer. The purpose of this malware is to steal your credential as well as crypto wallet details, all of which will be sent to a Telegram group operated by the malicious actor that implemented the campaign.
With all of that having been said and now out of the way, it is important to note that the infostealer can scrape all sorts of data, including Word documents, credit card details, browser extensions, as well as what antiviruses the infected system is currently using.
It bears mentioning that the ultimate goal of the campaign isn’t all that certain as of right now, although some are theorizing that the malicious actor that receives the data will be looking to sell it to the highest bidder. There's also a chance that the malware will be used to deploy ransomware somewhere down the line, but it remains to be seen whether or not this occurs.
According to a report released by Trustwave SpiderLabs, there’s a Facebook account impersonating current Amazon CEO Andy Jassy which might be behind this. The account is sharing a PDF file that’s been weaponized with the malware, and it encourages users to click on a link which will lead to the malware being installed on their system.
The profile was also boosting the fake job offers that are being used as the primary mode of disseminating the malware to a wider base of users. Since its infection chain matches that of the Phemedrone Stealer spotted recently, there’s a chance that Ov3r_Stealer is a repurposed version of Phemedrone. The malicious actor that created this malware has also shared reports about the Phemedrone Stealer, presumably in an attempt to establish their reputation as a provider of Malware as a Service.
This threat actor is going by the alias Liu Kong, and they’ve been expressing a lot of satisfaction that their malware made the news. The fact that it exploits a Windows flaw may allow a patch to be made sooner rather than later.
Photo: Digital Information World - AIgen
Read next: Gartner Forecasts Surge to 295 Million AI PCs and Smartphones by Year-End
With all of that having been said and now out of the way, it is important to note that the infostealer can scrape all sorts of data, including Word documents, credit card details, browser extensions, as well as what antiviruses the infected system is currently using.
It bears mentioning that the ultimate goal of the campaign isn’t all that certain as of right now, although some are theorizing that the malicious actor that receives the data will be looking to sell it to the highest bidder. There's also a chance that the malware will be used to deploy ransomware somewhere down the line, but it remains to be seen whether or not this occurs.
According to a report released by Trustwave SpiderLabs, there’s a Facebook account impersonating current Amazon CEO Andy Jassy which might be behind this. The account is sharing a PDF file that’s been weaponized with the malware, and it encourages users to click on a link which will lead to the malware being installed on their system.
The profile was also boosting the fake job offers that are being used as the primary mode of disseminating the malware to a wider base of users. Since its infection chain matches that of the Phemedrone Stealer spotted recently, there’s a chance that Ov3r_Stealer is a repurposed version of Phemedrone. The malicious actor that created this malware has also shared reports about the Phemedrone Stealer, presumably in an attempt to establish their reputation as a provider of Malware as a Service.
This threat actor is going by the alias Liu Kong, and they’ve been expressing a lot of satisfaction that their malware made the news. The fact that it exploits a Windows flaw may allow a patch to be made sooner rather than later.
Photo: Digital Information World - AIgen
Read next: Gartner Forecasts Surge to 295 Million AI PCs and Smartphones by Year-End