Cybersecurity researchers have spotted yet another malicious Facebook ad campaign looking to trick users into installing malware on your Windows device.
The team from Trustwave SpiderLabs revealed how an unnamed threat actor created a Facebook ad campaign for digital advertising jobs.
Those that click on the ad are served a weaponized PDF file with an embedded “Access Document” button. Clicking the button triggers a chain reaction that ultimately delivers an infostealer called Ov3r_Stealer.
Selling data on the dark web
“This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors,” Trustwave SpiderLabs said in its report.
Besides stealing passwords and crypto wallet data, Ov3r_Stealer can also steal IP address-based locations, hardware information, cookies, credit card data, auto-fills, browser extensions, Microsoft Office documents, and a list of antivirus products that the victim has installed on their Windows device.
At this point, the goal of the campaign seems to be data exfiltration, likely to be sold to a third-party at a later date. However, the researchers don’t exclude the possibility of the malware being updated to act as a ransomware encryptor, too.
The campaign appears to have quite a few similarities with another recently discovered campaign that was delivering the Phemedrone Stealer. In both cases, the attackers used the same GitHub repository (nateeintanan252) to pull the loader, and both infostealers share plenty of code.
“This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” Trustwave said. “The main difference between the two is that Phemedrone is written in C#.”
The researchers even found a person on Telegram, by the name Liu Kong, claiming to have developed both variants, and stating they were happy with how the tool works in the wild.