Novel Ov3r_Stealer malware spread via fraudulent Facebook job ads

Attacks leveraging fraudulent Facebook job ads have been launched to facilitate the distribution of the new Ov3r_Stealer information-stealing malware that targets credentials, Microsoft Office documents, browser extensions, cryptocurrency wallets, and credit card information, according to The Hacker News. Threat actors have used a Facebook account impersonating Amazon CEO Andy Jassy and Facebook digital advertising job ads to spread a malicious PDF that lures targets into clicking an embedded "Access Document" button, which would later redirect to a .URL file posing as a Discord content delivery network-hosted DocuSign document, a report from Trustwave SpiderLabs showed. Such a file would later facilitate control panel item file delivery and PowerShell loader retrieval before triggering Ov3r_Stealer. Further investigation into Ov3r_Stealer's infection chain revealed similarities with the Phemedrone Stealer which has leveraged the high-severity Windows Defender SmartScreen bypass vulnerability, tracked as CVE-2023-36025 prompting researchers to suggest that the new malware may have been repurposed from Phemedrone.