A recent cybersecurity threat has emerged in the form of the Nova Stealer malware, which is a variant of the well-known SnakeLogger stealer. This malicious software is being promoted on hacking forums under a Malware-as-a-Service (MaaS) model, allowing potential attackers to purchase a 30-day license for as little as $50.
The Nova Stealer is causing concern among cybersecurity experts due to its ability to steal sensitive information, including credentials, keystrokes, and screenshots. Additionally, this malware has the capability to circumvent detection measures by disabling security tools, making it a formidable threat to organizations and individuals alike.
Researchers at Bi.Zone have discovered that the Nova Stealer is primarily distributed through phishing emails, often disguised as legitimate attachments such as contracts. Once activated, the malware decodes its payload steganographically and replicates itself in the AppData\Roaming directory. To evade detection, it uses PowerShell to add itself to the Microsoft Defender exclusions list.
Persistence and evasion techniques employed by Nova Stealer include utilizing the Windows Task Scheduler and employing steganography to conceal its payload. The malware also injects the decoded payload into a spawned child process using process hollowing techniques. It is capable of stealing saved credentials from browsers like Mozilla Firefox and Chrome, logging keystrokes, taking screenshots, and extracting clipboard data. The stolen information is exfiltrated via SMTP or FTP, depending on the configuration.
To mitigate the risks associated with Nova Stealer and similar threats, organizations are advised to monitor corporate accounts on underground resources, implement effective email filtering to block phishing attempts, and utilize Endpoint Detection and Response (EDR) tools to identify suspicious activity. BI.ZONE EDR rules can also assist in detecting Nova Stealer’s malicious behavior, such as the addition of new Windows Defender exceptions, the creation of suspicious tasks using schtasks, access to an IP detection service, and browser stealer activity.
The affordability and ease of use of Nova Stealer make it a significant threat, as it has the potential to evade detection and extract sensitive data with ease. Organizations must remain vigilant and adopt proactive measures to safeguard against such threats. It is crucial to stay informed about the latest cybersecurity developments and implement robust security measures to protect against evolving cyber threats.
Key Indicators of Compromise (IoCs) associated with Nova Stealer include specific hashes and suspicious task creation via schtasks.exe. By investigating and monitoring these IoCs, organizations can enhance their cybersecurity defenses and detect potential security breaches before they lead to significant data loss or damage.
In conclusion, the Nova Stealer malware poses a serious risk to cybersecurity, highlighting the importance of ongoing vigilance and robust security measures to safeguard against evolving cyber threats. By staying informed and adopting proactive security practices, organizations can mitigate the risks associated with Nova Stealer and other malicious software variants.