The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according to researchers from Trustwave SpiderLabs.
The researchers first discovered the stealer in early December.
Later, they discovered that the actors behind the malware also use Facebook-based scams - including the creation of fake accounts - to spread the malware.
Eventually, weaponized links delivered through the ad lead to a malicious Discord content-delivery URL, which executed the stealer using a PowerShell script masquerading as a Windows Control Panel binary to download the malware, in the form of three files from a GitHub site.
What really sets Ov3r Stealer apart is having several execution methods.
In addition to the PowerShell vector, Ov3r Stealer also can be executed on a victim's machine via HTML smuggling, SVG image smuggling, and.
LNK shortcut files masquerading as innocuous text documents.
Down the Cyberattacker Rabbit Hole Once researchers followed the stolen data to Telegram, they found a rather complex origin story behind Ov3r Stealer, as the malware appears to have a range of threat actors behind it who conspire via multiple communication channels and platforms.
To boot, Ov3r Stealer can also be used in a modular way as a dropper for other malware or post-exploit tools, up to and including ransomware, the researchers said.
Ov3r Stealer's Various Execution Strategies As mentioned, once a victim is compromised, the stealer uses several unique execution methods; the researchers observed one and gleaned a few others from sample code.
One loader used Windows CPL files - which are generally used for system settings within Windows - to run a remote PowerShell script to download the malware's three files.
Another method indicated by sample data is through HTML smuggling, which uses a weaponized HTML file, CustomCursor.
A third execution method is through a shortcut file.
The victim is presented with a file masquerading as a typical text file called Attitude Reports.
The actual file within the zip archive is a malicious.
Once opened, it will redirect the victim to the GitHub repository, as the CPL loader does, to download the actual payload. Attackers also use a technique called SVG smuggling to execute the file in a method that exploits the WinRAR Code Execution Vulnerability.
This method works similarly to HTML smuggling, except that the malicious files are embedded within a vector graphics file.
LNK shortcut file to download a PowerShell script to deliver the payload. That final payload is ultimately delivered in three files that are nested: WerFaultSecure.
Exe, a legitimate Windows executable; Wer.dll, a malicious file that WerFaultSecure loads; and Secure.
A Malware Poised to Go Big Though Trustwave has not yet seen wide-ranging campaigns using this malware, the researchers believe it remains under continual development and continues to pose an existing threat.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 08 Feb 2024 16:40:16 +0000