Beware the Bait: How Ov3r_Stealer Malware Hijacks Your Job Hunt on Facebook

Beware the siren call of fake Facebook job ads! They’re not offering careers, but a crash course in cybertheft via Ov3r_Stealer malware. These management “opportunities” lead straight to a digital trap, with Trustwave unveiling the sneaky infection chain. Don’t let your credentials become the catch of the day!

Hot Take:

Oh, Facebook, the neighborhood bulletin board where instead of finding a cat-sitter, you get a free side of Ov3r_Stealer malware with your fake job application. Always remember, kids, the only thing free in a too-good-to-be-true job ad is a ticket to Hacksville. And who needs job benefits when you can have your crypto and passwords pilfered by a malware that uses more underscores in its name than a teenager’s first email address?

Key Points:

  • Fake Facebook job ads are the new ‘Nigerian prince’ of cyber scams, baiting users with cushy manager gigs only to dish out malware.
  • A Discord link in a OneDrive PDF is the new “candy in a van,” luring victims to download what might be the world’s worst DocuSign knockoff.
  • Malware’s fashion show features a range of disguises from deceptive Control Panel files to SVG files strutting their malicious stuff.
  • The Ov3r_Stealer’s three-piece suit includes a legitimate-looking Windows file, a DLL for sideloading, and a document that’s up to no good.
  • Trustwave is playing Sherlock, linking the malware to online forums and ambiguous demo video posters. Nationality? Unclear. Sneakiness? Off the charts.

Need to know more?

The Lure of the Phish

Imagine this: You're scrolling through Facebook, dreaming of a career leap, and BAM! A job ad for an Account Manager role pops up. It's like it was made for you. But wait, before you update your LinkedIn profile, this dream job is really a one-way ticket to Malwareville. One click on that ad and you're not heading to the corner office; you're downloading a payload that's more malicious than a gossiping colleague.

Disguise and Deceive

These hackers are like the costume department of a spy movie, using every disguise in the book. They've got malicious CPL files, weaponized HTML, and even LNK files that are about as trustworthy as a two-dollar bill. SVG smuggling? More like SVG muggings, am I right? It's a regular malware masquerade ball, and guess who's invited? Your computer. Party favors include data theft and a persistent 'Licensing2' task that's more persistent than a telemarketer.

The Malicious Triad

At the heart of this digital heist is a trio of files that could've been the leads in a cybercrime thriller. There's WerFaultSecure.exe, the Windows executable that seems legit but has a dark side. Wer.dll, the sidekick DLL that's all about that sideload life. And finally, Secure.pdf, the document that's anything but. Together, they form the Ocean's Three of malware, swiping your data every 90 minutes like clockwork.

Where’s Waldo: Hacker Edition

Trustwave's cyber sleuths are piecing together the digital breadcrumbs, linking the malware's calling card back to the underbelly of software cracking forums. There's even a hint of international mystery, with demo videos in various languages and flags that throw us off the scent. Is this the work of a global mastermind or just a cybercriminal who can't decide on their favorite language? The plot thickens...

Pilfered Digital Pockets

What's on the malware's shopping list, you ask? Everything from crypto wallets to browser cookies. It's like a digital pickpocket that checks every pocket, nook, and cranny for valuables to swipe. It's not just after your money; it wants to know where you live, what you're typing, and probably what you had for breakfast. And it sends all this to a Telegram bot, because even malware needs a friend to talk to.

Tags: Cryptocurrency Theft, Data Exfiltration, , Malware, PowerShell Attacks, , Trustwave research