search

chartingshow / crypto-firewall

🎁 Blocks browser-based crypto mining, cryptojacking, banking and crypto malware and phishing websites, apps and hackers command-and-control (C2) servers.
GNU General Public License v3.0
11 stars 0 forks source link

Block `Ov3r_Stealer` malware aiming to steal account credentials and cryptocurrency #437

Closed summercms closed 7 months ago

summercms commented 7 months ago

Enhancement idea

Description

In early December, during an Advanced Continual Threat Hunt (ACTH) campaign investigation, discovered a new malware named Ov3r_Stealer. At a high level, this malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors. The tactics and techniques to drop the malware and the code itself is not unique, but because this malware was relatively unknown at the time of discovery, it allowed our investigators to dig a little deeper into its backstory and potentially the origins of this malware.

Links

https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf

IOC

I2P websites

n/a

IPFS websites

n/a

Tor2web websites

n/a

TOR websites

n/a

URL's

github.com/nateeintanan2527

Above: Have reported to github to close this malware developers account.

web.telegram.org/k/#6612893721
web.telegram.org/k/#@Data1_Telegram_bot
web.telegram.org/k/#@Data2_Telegram_bot
web.telegram.org/k/#@Data3_Telegram_bot
web.telegram.org/k/#@Data4_Telegram_bot
web.telegram.org/k/#@JohnMacollan
web.telegram.org/k/#@KAY_DATA_bot 
web.telegram.org/k/#@kgbcrypter
web.telegram.org/k/#@Ov3r_Stealer_bot
web.telegram.org/k/#@pwn3rzs_chat

and

cdn.discordapp.com/attachments/1083311514368360519/1167767477921513512/SecureDocuSign_pdf.url
cdn.discordapp.com/attachments/1083311514368360519/1170627584627855481/DocuSign1.url
cdn.discordapp.com/attachments/1083311514368360519/1170627585105997854/DocuSign2.url
cdn.discordapp.com/attachments/1083311514368360519/1170627585680609280/DocuSign3.url
cdn.discordapp.com/attachments/1083311514368360519/1171355007245893653/DocuSignDocument.url
cdn.discordapp.com/attachments/1083311514368360519/1172211288303206400/DocuSign3.url
cdn.discordapp.com/attachments/1083311514368360519/1175808264479449138/DocuSign3.url
cdn.discordapp.com/attachments/1083311514368360519/1177255994775064717/kay.url
cdn.discordapp.com/attachments/1083311514368360519/1177255995156742144/DocuSign4.url
cdn.discordapp.com/attachments/853270434422456330/1176802586481922098/image_reported.url
cdn.discordapp.com/attachments/853270434422456330/1183676616564547624/image_reported.url
cdn.discordapp.com/attachments/853270434422456330/1184415259717533726/My_Photo_Album.url

and

shorturl.at/bsuCR
shorturl.at/clpIO
shorturl.at/dMY69 
shorturl.at/eqxU0
shorturl.at/flEK5 
shorturl.at/gnL15
shorturl.at/ixEZ7
shorturl.at/oORV9
shorturl.at/vzAD2
www.shorturl.at/dKOR6

Folders

n/a

Sub-Domains

n/a

Domains

n/a

IP's

51.79.185.145

Emails

john.mocally174@40mail.ru

Wallet addresses

n/a

Mining pool addresses

n/a