Facebook ads are once again implicated in the spread of malware.
A new report from Trustwave has revealed an advanced campaign to distribute powerful malicious software that aims to steal data from infected computers.
The attack scheme starts with a Facebook ad leading to a PDF file on OneDrive that supposedly contains job details. However, when you try to open the file, the user is redirected to download a file called "pdf2.cpl" hosted on the Discord network.
This file is presented as a DocuSign document, but is actually a PowerShell payload that uses the Windows Control file for execution.
Trustwave has identified four main methods for downloading malware. So, the infection occurs via:
The final payload consists of three files: a legitimate Windows executable (WerFaultSecure.exe), a DLL for loading libraries using DLL Sideloading (Wer.dll) and a document with malicious code (Secure. pdf).
Once executed, the malware establishes persistence on the infected system by adding a task to the task scheduler called "Licensing2", which runs every 90 minutes.
Ov3r_Stealer aims to steal data from a wide range of applications, including cryptocurrency wallets, web browsers, browser extensions, Discord, Filezilla and many others, and also examines the configuration of system services in the Windows registry, probably to identify potential targets.
Stolen information is sent to the bot in Telegram every 90 minutes, including the victim's geolocation data and a summary of the stolen data. Trustwave has discovered a link between the exfiltration channel in Telegram and certain user names participating in forums related to hacking the software.
In addition, the researchers note the similarity of the Ov3r_Stealer code with the malware in C# called Phemedrone, which may indicate the use of the latter as the basis for a new virus.
In demonstration videos that may show the malware working, the attackers used Vietnamese and Russian languages, as well as the flag of France, which does not allow us to clearly determine the nationality of the attackers. Perhaps they were deliberately trying to make their attribution more difficult.
A new report from Trustwave has revealed an advanced campaign to distribute powerful malicious software that aims to steal data from infected computers.
The attack scheme starts with a Facebook ad leading to a PDF file on OneDrive that supposedly contains job details. However, when you try to open the file, the user is redirected to download a file called "pdf2.cpl" hosted on the Discord network.
This file is presented as a DocuSign document, but is actually a PowerShell payload that uses the Windows Control file for execution.
Trustwave has identified four main methods for downloading malware. So, the infection occurs via:
- CPL files thanks to remote PowerShell scripts;
- HTML files using HTML Smuggling for embedding encrypted ZIP files with malicious content;
- LNK files (Windows shortcuts) disguised as text files;
- SVG files with embedded RAR archives.
The final payload consists of three files: a legitimate Windows executable (WerFaultSecure.exe), a DLL for loading libraries using DLL Sideloading (Wer.dll) and a document with malicious code (Secure. pdf).
Once executed, the malware establishes persistence on the infected system by adding a task to the task scheduler called "Licensing2", which runs every 90 minutes.
Ov3r_Stealer aims to steal data from a wide range of applications, including cryptocurrency wallets, web browsers, browser extensions, Discord, Filezilla and many others, and also examines the configuration of system services in the Windows registry, probably to identify potential targets.
Stolen information is sent to the bot in Telegram every 90 minutes, including the victim's geolocation data and a summary of the stolen data. Trustwave has discovered a link between the exfiltration channel in Telegram and certain user names participating in forums related to hacking the software.
In addition, the researchers note the similarity of the Ov3r_Stealer code with the malware in C# called Phemedrone, which may indicate the use of the latter as the basis for a new virus.
In demonstration videos that may show the malware working, the attackers used Vietnamese and Russian languages, as well as the flag of France, which does not allow us to clearly determine the nationality of the attackers. Perhaps they were deliberately trying to make their attribution more difficult.
