More fake Facebook job ads are spreading malware to steal all your details

Those that click on the ad are served a weaponized PDF file with an embedded “Access Document” button. Clicking the button triggers a chain reaction that ultimately delivers an infostealer called Ov3r_Stealer.

Selling data on the dark web

"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in its report.

Besides stealing passwords and crypto wallet data, Ov3r_Stealer can also steal IP address-based locations, hardware information, cookies, credit card data, auto-fills, browser extensions, Microsoft Office documents, and a list of antivirus products that the victim has installed on their Windows device.

At this point, the goal of the campaign seems to be data exfiltration, likely to be sold to a third-party at a later date. However, the researchers don’t exclude the possibility of the malware being updated to act as a ransomware encryptor, too.

The campaign appears to have quite a few similarities with another recently discovered campaign that was delivering the Phemedrone Stealer. In both cases, the attackers used the same GitHub repository (nateeintanan252) to pull the loader, and both infostealers share plenty of code.  

"This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer," Trustwave said. "The main difference between the two is that Phemedrone is written in C#."

The researchers even found a person on Telegram, by the name Liu Kong, claiming to have developed both variants, and stating they were happy with how the tool works in the wild.

More from TechRadar Pro

• Cisco patches IOS XE zero-days used to hack over 50,000 devices
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now