The BI.ZONE Threat Intelligence team continues to record a large‑scale campaign targeting Russian organizations across various industries. The adversaries employ NOVA stealer, a new commercial fork of SnakeLogger, with subscriptions starting at $50. They distribute phishing emails with the malware disguised as a contract archive.
Key findings
- Threat actors actively leverage malware as a service (MaaS) marketed on underground resources, enabling them to save resources and focus on its spread.
- Attackers increase their chances of success by using popular file names for malicious archives and targeting employees in organizations that handle high volumes of emails.
- Stealers remain a major cybersecurity threat: authentication data harvested through such malware can be leveraged in the future, for instance, in targeted ransomware attacks.
Campaign
As part of this campaign, the adversaries distribute NOVA via archive attachments to phishing emails, disguising them as contracts (e.g., Договор.exe). It is noteworthy that the attackers do not use double file extensions or fake icons to make the malicious file appear as a legitimate document.
Once executed, the malicious file decodes data steganographically concealed in zabawa2, replicates itself under a different name in the AppData\Roaming directory, and runs PowerShell to add itself to the Microsoft Defender exclusions list:
Add-MpPreference -ExclusionPath "C:\Users\%USERNAME%\AppData\Roaming\%FILENAME%.exe"It gains persistence to the compromised system by exploiting the Windows Task Scheduler:
schtasks.exe" /Create /TN "Updates\wZhPqlmXA" /XML "C:\Users\%USERNAME%\AppData\Local\Temp\tmp46B8.tmp"Finally, the malicious file executes itself in a suspended state and injects the decoded payload into a spawned child process.
The API call sequence is as follows: CreateProcessInternalA (suspended) → VirtualAllocEx → WriteProcessMemory → SetThreadContext → ResumeThread.
Curiously enough, the malicious file includes strings in Polish.
The malicious payload injected is the NOVA stealer, a fork of the popular SnakeLogger stealer.
To get the IP and country details of a compromised system, NOVA queries web resources such as checkip[.]dyndns[.]org or reallyfreegeoip[.]org.
The malware steals saved credentials from various sources, captures keystrokes, takes screenshots, and extracts clipboard data.
In this particular case, the retrieved data is exfiltrated via SMTP.
This sample may also have the following capabilities:
- disable Microsoft Defender and Task Manager
- disable the Registry Editor
- disable CMD
The stealer contains functions with respective names but lacks the code required to execute them.
Additionally, we detected a function that constrains malware execution until a particular date.
NOVA is marketed under the MaaS model, making it accessible to a wide range of attackers.
In August 2024, the NOVA Telegram group was created to promote and sell the stealer, as well as to provide tech support.
Apart from the stealer, the developer offers a cryptor, with the stealer price ranging from $50 for a 30‑day license up to $630 for a lifetime license, and the cryptor price, from $60 for a 30‑day license to $150 for a 90‑day license.
Indicators of compromise
831582068560462536daaeef1eff835315de4683cf8bed4d31660bdd69dca14ec4b713538004a9c84332b68b0a613a5de9dcf639e415feb14b3da926e164375f3c5a3609
MITRE ATT&CK
Detection
The BI.ZONE EDR rules below can help organizations detect the described malicious activity:
win_new_windows_defender_exception_was_addedwin_using_schtasks_to_create_suspicious_taskwin_access_to_ip_detection_servicewin_possible_browser_stealer_activity
How to protect your company from such threats
To ensure proactive protection, you need to stay ahead of threat actors by monitoring compromised corporate accounts on underground resources. The BI.ZONE Threat Intelligence portal can be a valuable solution in this regard, offering, among other things, information about data leaks. The portal allows you to look for compromised accounts by a specific email address, an email domain (including all its subdomains), or by a particular URL.
