NOVA: blast from the past

Feb. 4, 2025, 5:14 p.m.

Description

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals credentials, captures keystrokes, takes screenshots, and extracts clipboard data. The malware gains persistence through Windows Task Scheduler and can disable security features. It's distributed on underground forums with subscriptions starting at $50. The campaign highlights the ongoing threat of stealers and the potential for stolen data to be used in future targeted attacks.

External References

https://bi-zone.medium.com/nova-blast-from-the-past-ccac0c3e6160
https://otx.alienvault.com/pulse/67a24453fa61acc59524d11c
Tags
phishing
credential-theft
stealer
persistence
maas
nova
2025-02-04
snakelogger

Date

  • Created: Feb. 4, 2025, 4:46 p.m.
  • Published: Feb. 4, 2025, 4:46 p.m.
  • Modified: Feb. 4, 2025, 5:14 p.m.

Indicators

  • 8004a9c84332b68b0a613a5de9dcf639e415feb14b3da926e164375f3c5a3609
Download all indicators here!

Attack Patterns

  • SUPERNOVA
  • SnakeLogger

Additional Informations

  • Russian Federation