New Password-Stealing Malware, Ov3r_Stealer, Spread Through Facebook Ads

A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency.

The fake job ads are for management positions and lead users to a Discord URL where a PowerShell script downloads the malware payload from a GitHub repository.

Analysts at Trustwave who discovered the malware campaign note that although none of its tactics are novel, it remains a severe threat to many potential victims, given Facebook’s popularity as a social media platform.

What kind of malware is Ov3r_Stealer?

Ov3r_Stealer is the name of an information-stealing malware. This program primarily targets log-in credentials and cryptocurrency wallets. There is some evidence suggesting that Ov3r_Stealer might have been based on the Phemedrone data-stealer. Ov3r_Stealer has been observed being spread via Facebook advertising centered on job offers.

Ov3r_Stealer malware overview

Ov3r_Stealer infiltrates systems following a multi-stage infection chain (described below). After the malware establishes persistence, it begins collecting relevant device data (e.g., hardware and system details, geolocation, etc.). The stealer uses Telegram for its C&C (Command and Control).

Ov3r_Stealer seeks to acquire the log-in credentials and other information related to cryptocurrency wallets. The program also aims to exfiltrate Microsoft Word and Excel, as well as plain text files. It also collects data associated with messengers and FTP (File Transfer Protocol) clients.

By far the most extensive target list of Ov3r_Stealer concerns browser extensions, it includes dozes of password managers and cryptocurrency-related add-ons (full list). Information stored on browsers is of interest to this malware as well. It can extract and exfiltrate Internet cookies, auto-fills, passwords, and credit card details. The stolen content is then sent to the attackers’ C&C channel.

It is pertinent to mention that malware developers commonly improve upon their software and techniques. Therefore, potential future variants of Ov3r_Stealer could boast additional/different capabilities and features.

In summary, the presence of software like Ov3r_Stealer on devices may lead to severe privacy issues, financial losses, and identity theft.

Vigilance and Defense

Given the stealthy nature of Ov3r_Stealer, prompt action is imperative for affected users. Employing robust anti-malware solutions can help detect and remove this threat, safeguarding systems from potential harm.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.