February 06, 2024

Hackers are Using Facebook Phishing Malware to Steal Crypto Credentials, warns Trustwave SpiderLabs Report

Published: February 06, 2024 at 9:06 am Updated: February 06, 2024 at 9:20 am

Edited and fact-checked: February 06, 2024 at 9:06 am

In Brief

Trustwave SpiderLabs discovered crypto credential stealing malware Ov3r_Stealer, highlighting the rise in crypto security threat landscape.

Hackers Are Using Facebook Phishing Malware to Steal Crypto Credentials, Warns Trustwave SpiderLabs Report

Cybersecurity company Trustwave SpiderLabs discovered a new malware named Ov3r_Stealer during an Advanced Continual Threat Hunt (ACTH) campaign investigation in early December 2023.

Ov3r_Stealer is crafted by malicious actors and is engineered with a nefarious purpose to steal sensitive credentials and cryptocurrency wallets from unsuspecting victims and send them to a Telegram channel monitored by the threat actor.

The initial attack vector was traced back to a deceptive Facebook job advertisement masquerading as an opportunity for an Account Manager position. Intrigued individuals, unsuspecting of the impending threat, were enticed to click on links embedded within the advertisement, redirecting them to a malicious Discord content delivery URL.

“For the Malvertisement initial attack vector to be realized on a victim’s environment, the user would have to click on the link provided in the advertisement. From there, they would be redirected via a URL shortening service to a CDN. The CDN observed in the instances we observed was cdn.discordapp.com,” Greg Monson, Trustwave SpiderLabs cyber threat intelligence Team Manager told Metaverse Post.

“From there, the victim may be tricked into downloading the payload of Ov3r_Stealer. Once downloaded, it will retrieve the next payload as a Windows Control Panel File (.CPL). In the observed instance, the.CPL file connects to a GitHub repository through a PowerShell script to download additional malicious files,” Monson added.

It is important to note that loading the malware onto the system includes HTML Smuggling, SVG Smuggling, and LNK file masquerading. Once executed, the malware creates a persistence mechanism through a Scheduled Task and runs every 90 seconds.

Growing Cyber Threats Prompt Proactive Security Measures

These malwares exfiltrate sensitive data like geolocation, passwords, credit card details and more to a Telegram channel monitored by threat actors, highlighting the evolving landscape of cyber threats and the importance of proactive cybersecurity measures.

“While we aren’t aware of the intentions the threat actor had behind collecting the information stolen via this malware, we have seen similar information be sold on various Dark Web forums. Credentials bought and sold on these platforms can be a potential access vector for ransomware groups to conduct operations,” Trustwave SpiderLabs’ Greg Monson told Metaverse Post.

“Regarding speculating on the intentions of the threat actor we were tracking, a potential motivation could be harvesting account credentials to various services and then sharing and/or selling them via Telegram in the ‘Golden Dragon Lounge’. Users in this telegram group can often be found soliciting different services, such as Netflix, Spotify, YouTube and cPanel,” he added.

Moreover, the investigation by the team led to various aliases, communication channels, and repositories used by the threat actors, including aliases like ‘Liu Kong,’ ‘MR Meta,’ MeoBlackA, and ‘John Macollan’ found in groups like ‘Pwn3rzs Chat,’ ‘Golden Dragon Lounge,’ ‘Data Pro,’ and ‘KGB Forums.’

On December 18, the malware became known to the public and was reported in VirusTotal.

“The uncertainty of how the data will be used does add some complications from a mitigation standpoint but the steps an organization should take to remediate should be the same. Training users to identify potentially malicious links and applying security patches for vulnerabilities is one of the first steps an organization should take to prevent an attack like this,” said Monson.

“In the event, that malware is found with this type of capability, it would be advisable to reset the password of affected users, as that information could be used in a secondary attack with greater implications,” he added.

Another malware, Phemedrone, shares all the characteristics of Ov3r_Stealer but is written in a different language (C#). It’s recommended to hunt through telemetry to identify any potential usage of this malware and its variants in systems despite the listed IOCs possibly not being relevant to current malware attacks.

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Kumar is an experienced Tech Journalist with a specialization in the dynamic intersections of AI/ML, marketing technology, and emerging fields such as crypto, blockchain, and NFTs. With over 3 years of experience in the industry, Kumar has established a proven track record in crafting compelling narratives, conducting insightful interviews, and delivering comprehensive insights. Kumar's expertise lies in producing high-impact content, including articles, reports, and research publications for prominent industry platforms. With a unique skill set that combines technical knowledge and storytelling, Kumar excels at communicating complex technological concepts to diverse audiences in a clear and engaging manner.

Kumar Gandharv