In the contemporary digital era, where social media platforms play a pivotal role in fostering connections among individuals and businesses, there is a mounting apprehension regarding the proliferation of deceptive job advertisements on Facebook.
Threat actors are using fake Facebook job ads to deceive potential victims into installing a new Windows-based stealer malware named Ov3r_Stealer. This malware is designed to steal credentials and cryptocurrency wallets and send them to a monitored Telegram channel. Ov3r_Stealer can gather various types of sensitive information, including IP address-based location, hardware details, passwords, cookies, credit card information, browser extensions, and more. The exact purpose of the campaign is unknown, but it is likely that the stolen data is sold to other threat actors or used to distribute additional payloads, such as ransomware.
The attack starts with a weaponized PDF file disguised as a OneDrive document. It prompts users to click an "Access Document" button, which leads them to an internet shortcut file (.URL) pretending to be a DocuSign document hosted on Discord's content delivery network. This shortcut file acts as a conduit to deliver a control panel item (.CPL) file, executed using the Windows Control Panel process binary, “control.exe” [T1218.002]. The CPL file then retrieves a PowerShell loader ("DATA1.txt") from a GitHub repository, which ultimately launches Ov3r_Stealer.
It is important to note that a similar infection chain was recently reported by Trend Micro, where threat actors exploited the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8) to drop another stealer called Phemedrone Stealer. The GitHub repository used (nateeintanan2527) and code-level overlaps between Ov3r_Stealer and Phemedrone further share similarities.
In summary, individuals searching for employment opportunities online face a notable threat from deceptive job advertisements on Facebook. By staying informed about the strategies employed by cybercriminals, such as the dissemination of malware like 'Ov3r_Stealer,' and by taking preemptive measures to ensure your protection, you can minimize the risk of falling prey to scams and secure your confidential data. It's crucial to approach job ads on social media platforms with caution and prioritize cybersecurity to navigate the digital landscape safely.
User awareness training.
Identify and block potentially malicious and unknown .cpl files by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content.
The Hacker News. (2024, February 6). BeWARE: Fake Facebook job ads spreading “Ov3r_Stealer” to steal crypto and credentials. https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html
System Binary Proxy Execution: Control Panel, Sub-technique T1218.002 - Enterprise | MITRE ATT&CK. https://attack.mitre.org/techniques/T1218/002/
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to firstname.lastname@example.org.
Learn more about CyberForce|Q.