Threat Research

Nova Infostealer Malware | Sordeal Stealer | Cyfirma

Securonix

Nova is a sophisticated infostealer from MaaS operator Sordeal, designed to harvest browser credentials, system data, and crypto-wallet information while employing anti-forensic techniques and kernel-log evasion. The operators distribute Nova via free keys, leverage JS/Electron, and show plans to expand capabilities to Discord and wallet injections. #NovaInfostealer #Sordeal #DiscordInjection #Exodus #AtomicWallet

Keypoints

  • Sordeal has been active since early 2023, with heightened activity observed since September 2023.
  • Free keys for the full Nova version are attracting many black hats and increasing distribution.
  • Nova’s developers employ anti-forensic and defense-evasion techniques, including kernel-log evasion.
  • The malware leverages JavaScript and the Electron framework for certain utilities, with AutoIT used to access Windows APIs.
  • The sample is NSIS-packed, drops app-64.7z, and loads dependencies (AutoIT, VC++ Redistributable, Java) during deployment.
  • Nova targets multiple browsers (Edge, Chrome, Firefox) and shows intent to expand to Discord injection and crypto-wallet attacks (Exodus, Atomic).

MITRE Techniques

  • [T1112] Modify Registry – The malware queries and modifies registry keys related to the system for persistence and configuration. β€œThe malware uses cmd.exe and powershell to interact with the registry extensively.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Drops Update[.]exe into the startup folder to maintain persistence.
  • [T1555.003] Credentials from Web Browsers – Targets multiple browsers, including Edge, Chrome, and Firefox, to harvest credentials.
  • [T1113] Screen Capture – Uses an open-source utility to capture screenshots of the target machine.
  • [T1105] Ingress Tool Transfer – Downloads AutoIT, Microsoft Visual C++ Redistributable, and Java as dependencies.
  • [T1562.001] Impair Defenses – Modifies the Circular Kernel Context Logger to stop kernel-level logging and reduce visibility.
  • [T1553] Subvert Trust Controls (Root Certificate) – Installs a root certificate in ROOTCertificates (noted as a β€œBlob” value) to masquerade as legitimate signed components.
  • [T1041] Exfiltration Over C2 Channel – An exfiltration action is visible when a copy is sent to panel.sordeal.com:3000/ via POST.

Indicators of Compromise

  • [SHA256] Caad50dec67d247a242d62b30d39ef7e51a9febea387b74a53d405bce73b990c – MOOX92zb72.exe, Obvious.exe
  • [SHA256] 846a3dbd8e7f850a5495dca3ded6855434c05643c898929a103007d182f68b78 – app-64.7z
  • [SHA256] d7709e361a9ec30527514b69b6084606161e35beaeb532ebe339445901549336 – Win32snapshot.exe, Update.exe
  • [SHA256] 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 – elevate.exe
  • [Domain] panel.sordeal.com – Exfiltration endpoint used by Nova to post data
  • [URL] panel.sordeal.com:3000 – Exfiltration endpoint used by Nova (POST)

Read more: https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint