Cybersecurity experts have uncovered a large-scale campaign involving the distribution of the Nova Stealer malware, a commercial fork of the SnakeLogger stealer.
This malicious software is being marketed as Malware-as-a-Service (MaaS) on underground forums, with subscription prices starting at just $50 for a 30-day license and extending up to $630 for a lifetime license.
The campaign primarily targets Russian organizations across various industries, including finance, retail, and government sectors.
Nova Stealer is distributed through phishing emails that contain malicious attachments disguised as contract files.
Unlike other malware campaigns that use deceptive techniques like double file extensions or fake icons, this operation relies on plausible file names to trick recipients into executing the malware.
Once activated, the malware employs sophisticated techniques to evade detection and establish persistence on infected systems.
Technical Capabilities
The Nova Stealer malware is designed to harvest sensitive information from compromised systems. Its capabilities include:
- Credential Theft: Extracting saved passwords from browsers and applications such as Mozilla Firefox, Microsoft Edge, and Outlook.
- Keylogging: Recording users’ keystrokes to capture login credentials and other sensitive data.
- Screen Capture: Taking screenshots of the victim’s desktop environment.
- Clipboard Monitoring: Extracting data copied to the clipboard, which may include passwords or cryptocurrency wallet addresses.
The stolen data is exfiltrated via various methods, including SMTP (email protocol), Telegram APIs, or FTP servers, depending on the configuration used by attackers.
Additionally, Nova Stealer can disable critical system utilities like Microsoft Defender, Task Manager, and Registry Editor to avoid detection and hinder remediation efforts.
To ensure its persistence on infected devices, the malware uses Windows Task Scheduler to create scheduled tasks that re-execute it at regular intervals.
Acording to the report, it also adds itself to antivirus exclusion lists using PowerShell commands.
Malware-as-a-Service Model Expands Accessibility
The affordability and accessibility of Nova Stealer highlight the growing trend of cybercriminals leveraging MaaS platforms.
By offering pre-built malware with technical support through platforms like Telegram, developers enable even low-skill attackers to launch sophisticated cyberattacks.
This model significantly lowers the barrier for entry into cybercrime, expanding the pool of potential threat actors.
The Nova Stealer campaign underscores the increasing sophistication of information-stealing malware in the cyber threat landscape.
Organizations are urged to adopt proactive cybersecurity measures such as employee training on phishing awareness, robust endpoint detection systems, and regular monitoring for compromised accounts on underground forums.
As cybersecurity experts continue to analyze Nova Stealer’s impact, its low cost and advanced features make it a formidable threat in the digital realm.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
