Full Report
Moscow-based cybersecurity company BI.ZONE posted an analysis of the Nova infostealer as other Russian firms warned about cyber-espionage and threats against industrial facilities.
Analysis Summary
# Threat Actor: Nova Malware Developers/Sellers (Commercial Stealer Syndicate)
## Attribution & Identity
The developers behind Nova malware are currently unknown. Researchers noted the malware code contains strings in Polish, suggesting a potential origin or development language preference among the creators. Nova is marketed as a commercial stealer sold "as a service" on dark web marketplaces.
## Activity Summary
The primary activity involves the large-scale deployment and commercialization of the Nova information stealer, which is being used in campaigns targeting local Russian organizations. The article also discusses other recent state-sponsored campaigns (Rezet/Rare Wolf and APT NGC4020) targeting Russian infrastructure due to geopolitical tensions, though these are separate from the Nova activity traced by BI.ZONE.
## Tactics, Techniques & Procedures
- Initial Access via phishing emails containing malicious files disguised as zipped archives containing contracts.
- Malware utilizes popular file names for the archives to blend in.
- Information Stealing: Collects saved authentication data, records keystrokes, takes screenshots, and extracts data from the clipboard.
- The malware is a fork of SnakeLogger.
## Targeting
- Sectors: General local organizations in Russia (specific sectors for Nova not detailed, but derived from related campaigns: chemical, food, pharmaceutical, and major infrastructure like telecommunications and land registry).
- Geography: Primarily targeting Russian organizations.
- Victims: The exact number of Nova victims is unclear, but major Russian organizations recently targeted by other campaigns include Rostelecom, Roseltorg, and Rosreestr.
## Tools & Infrastructure
- Malware families used: Nova malware (a fork of SnakeLogger).
- Infrastructure (C2, domains, IPs): A Telegram group was created in August 2024 dedicated to promoting, selling, and supporting the stealer.
- Pricing model: Starts at $50 for a monthly license up to $630 for a lifetime license.
## Implications
The proliferation of commercially available, sophisticated stealers like Nova and SnakeLogger lowers the barrier to entry for less sophisticated actors, increasing the overall volume of data exfiltration targeting the Russian domestic landscape. The data collected could potentially be leveraged for secondary attacks, such as targeted ransomware campaigns. The reliance on local cybersecurity firms for reporting highlights reduced international visibility into the Russian cyber threat environment.
## Mitigations
- Implement robust email filtering to detect and block suspicious archived attachments used in phishing campaigns.
- Employee training focused on identifying social engineering tactics regarding contractual documents.
- Enhance endpoint detection and response (EDR) to monitor for keylogging, screenshot capturing, and credential harvesting activities typical of information stealers.