Beware of Nova Stealer Malware Sold for $50 on Hacking Forums
A recent cybersecurity threat has emerged in the form of the Nova Stealer malware, a fork of the popular SnakeLogger stealer. This malware is being marketed on hacking forums under a Malware-as-a-Service (MaaS) model, making it accessible to a wide range of attackers for as little as $50 for a 30-day license. The Nova Stealer […] The post Beware of Nova Stealer Malware Sold for $50 on Hacking Forums appeared first on Cyber Security News.
A recent cybersecurity threat has emerged in the form of the Nova Stealer malware, a fork of the popular SnakeLogger stealer.
This malware is being marketed on hacking forums under a Malware-as-a-Service (MaaS) model, making it accessible to a wide range of attackers for as little as $50 for a 30-day license.
The Nova Stealer is particularly concerning due to its capabilities to steal sensitive information, including credentials, keystrokes, and screenshots, and its ability to evade detection by disabling security tools.
While cybersecurity researchers at Bi.Zone discovered that the Nova Stealer is distributed via phishing emails, often disguised as legitimate attachments such as contracts.
Once executed, the malware decodes its payload steganographically and replicates itself in the AppData\Roaming directory.
It uses PowerShell to add itself to the Microsoft Defender exclusions list, ensuring it remains undetected:
Add-MpPreference -ExclusionPath "C:\Users\%USERNAME%\AppData\Roaming\%FILENAME%.exe"Persistence and Evasion Techniques
Nova Stealer gains persistence by exploiting the Windows Task Scheduler:-
schtasks.exe" /Create /TN "Updates\wZhPqlmXA" /XML "C:\Users\%USERNAME%\AppData\Local\Temp\tmp46B8.tmp"It employs steganography to hide its payload and injects the decoded payload into a spawned child process using process hollowing techniques.
The API call sequence involves: CreateProcessInternalA, WriteProcessMemory, SetThreadContext, ResumeThread.
Nova Stealer is capable of:-
- Stealing saved credentials from browsers like Mozilla Firefox and Chrome.
.webp)
- Capturing keystrokes.
.webp)
- Taking screenshots.
.webp)
- Extracting clipboard data.
The retrieved data is exfiltrated via SMTP or FTP, depending on the configuration.
To protect against such threats, organizations should monitor corporate accounts on underground resources, implement robust email filtering to block phishing attempts, and use Endpoint Detection and Response (EDR) tools to detect suspicious activity.
Not only that even the BI.ZONE EDR rules can also help in identifying NOVA’s malicious activity, including detecting when a new Windows Defender exception is added, when suspicious tasks are created using schtasks, when there is access to an IP detection service, or when possible browser stealer activity is observed.
The Nova Stealer represents a significant threat due to its affordability and ease of use. Its ability to evade detection and steal sensitive data makes it a powerful tool for malicious actors.
Organizations must remain vigilant and implement proactive measures to protect against such threats.
Indicators of Compromise (IoCs)
Key IoCs include:-
- Hashes: 831582068560462536daaeef1eff8353, 15de4683cf8bed4d31660bdd69dca14ec4b71353
- Suspicious task creation via
schtasks.exe
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Beware of Nova Stealer Malware Sold for $50 on Hacking Forums appeared first on Cyber Security News.
