Attacks leveraging fraudulent Facebook job ads have been launched to facilitate the distribution of the new Ov3r_Stealer information-stealing malware that targets credentials, Microsoft Office documents, browser extensions, cryptocurrency wallets, and credit card information, according to The Hacker News.
Threat actors have used a Facebook account impersonating Amazon CEO Andy Jassy and Facebook digital advertising job ads to spread a malicious PDF that lures targets into clicking an embedded "Access Document" button, which would later redirect to a .URL file posing as a Discord content delivery network-hosted DocuSign document, a report from Trustwave SpiderLabs showed. Such a file would later facilitate control panel item file delivery and PowerShell loader retrieval before triggering Ov3r_Stealer.
Further investigation into Ov3r_Stealer's infection chain revealed similarities with the Phemedrone Stealer which has leveraged the high-severity Windows Defender SmartScreen bypass vulnerability, tracked as CVE-2023-36025 prompting researchers to suggest that the new malware may have been repurposed from Phemedrone.
Malicious updates have been recently issued to the Python Package Index package "django-log-tracker," which was last modified in April 2022, to facilitate the distribution of the Nova Sentinel information-stealing malware, The Hacker News reports.