Cybersecurity researchers have discovered yet another malicious Facebook ad campaign that aims to trick users into installing malware on your Windows device.
The Trustwave SpiderLabs team revealed how an unnamed threat actor created a Facebook ad campaign for digital advertising jobs.
Those who click on the ad will be presented with a weaponized PDF file with a built-in ‘Access Document’ button. Clicking the button triggers a chain reaction that ultimately produces an infostealer called Ov3r_Stealer.
Selling data on the dark web
“This malware is designed to steal credentials and crypto wallets and send them to a Telegram channel that the threat actor is monitoring,” Trustwave SpiderLabs said in its report.
In addition to stealing passwords and crypto wallet details, Ov3r_Stealer can also steal IP address-based locations, hardware information, cookies, credit card information, autofill, browser extensions, Microsoft Office documents, and a list of antivirus products the victim has installed. their Windows device.
At this point, the goal of the campaign appears to be data exfiltration, which will likely be sold to a third party at a later date. However, the researchers do not rule out that the malware will be updated to also act as a ransomware encryptor.
The campaign appears to have quite a few similarities with another recently discovered campaign that yielded the Phemedrone Stealer. In both cases, the attackers used the same GitHub repository (nateeintanan252) to get the loader, and both infostealers share a lot of code.
“This malware was recently reported and Phemedrone may have been repurposed and renamed to Ov3r_Stealer,” Trustwave said. “The main difference between the two is that Phemedrone is written in C#.”
The researchers even found a person on Telegram named Liu Kong who claimed to have developed both variants and stated that he was satisfied with the way the tool works in the wild.