NOVABLIGHT is a NodeJS-based infostealer offered as Malware-as-a-Service by a group linked to Sordeal, demonstrated through French-language communications and evolving code. It features modular design, extensive system sabotage capabilities, and sophisticated obfuscation delivered via platforms like Telegram and Discord. #NOVABLIGHT #SordealGroup #Telegram #Discord
Keypoints
- NOVABLIGHT is an educationally described but fully functional infostealer MaaS with licenses valid up to one year and distribution via Telegram, Discord, and online storefronts like Billgang.
- The malware employs heavy obfuscation, multi-stage workflows, and broad feature sets including data theft, clipboard hijacking, system sabotage, and anti-analysis techniques.
- It targets Electron-based applications like Discord, Mullvad VPN, Exodus wallet, and Chromium browsers to steal credentials and session data by injecting backdoored modules.
- The group behind NOVABLIGHT is linked to the Sordeal threat group, previously responsible for MALICORD and Nova Sentinel, as revealed by code and GitHub account similarities.
- NOVABLIGHT disables Windows Defender, Task Manager, and disrupts internet connectivity; it also blocks file deletion and sabotages system recovery to maintain persistence.
- Data exfiltration is achieved via a multi-tiered infrastructure including a web panel, Discord webhooks, Telegram API, and legitimate third-party file hosting services.
- Extensive system enumeration and targeted file exfiltration are performed, including capturing screenshots, webcam video, running processes, antivirus details, Wi-Fi passwords, and clipboard content.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Executed PowerShell commands for system information gathering and disabling Windows features (‘Executes the PowerShell command Get-CimInstance … to identify antivirus products’).
- [T1486] Data Encrypted for Impact – Disables system recovery and deletes shadow copies to prevent restoration (‘disabling the Windows Recovery Environment (reagentc /disable) and deleting all Volume Shadow Copies (vssadmin delete shadows /all)’).
- [T1090] Proxy – Uses proxy URLs and multiple third-party file hosting services for data exfiltration (‘ utilizes a single URL for exfiltration with no fallback mechanism … leveraged a combination of legitimate third-party file-hosting services and its own backend’).
- [T1071] Application Layer Protocol – Exfiltrates data via Telegram API and Discord webhooks (‘sends the stolen data … directly with the official Telegram API and via Discord webhook API’).
- [T1055] Process Injection – Injects malicious code into Electron-based applications (‘payloads are dynamically fetched … targeting applications such as Discord client, Exodus wallet, Mullvad VPN client’).
- [T1063] Security Software Discovery – Identifies installed antivirus products via Windows Security Center queries (‘Executes the PowerShell command Get-CimInstance … to identify antivirus products’).
- [T1140] Deobfuscate/Decode Files or Information – Uses array mapping, base91 encoding, and control flow obfuscation to conceal code logic (‘uses array mapping… base91 encoding… and control flow obfuscation’).
- [T1562] Impair Defenses – Attempts to disable Windows Defender and Task Manager (‘attempts to disable Windows Defender and set the DisableTaskMgr registry value’).
- [T1113] Screen Capture – Captures screenshots of victim desktop (‘Captures a full screenshot of the victim’s desktop’).
- [T1115] Clipboard Data – Monitors and substitutes clipboard contents (‘actively monitors the clipboard for Crypto or Paypal addresses and replaces them’).
- [T1124] System Time Discovery – (Implicit in system enumeration routines for profiling victim systems).
Indicators of Compromise
- [SHA-256 Hashes] NOVABLIGHT version samples – d806d6b5811965e745fd444b8e57f2648780cc23db9aa2c1675bc9d18530ab73 (v2.2), 39f09771d70e96c7b760b3b6a30a015ec5fb6a9dd5bc1e2e609ddf073c2c853d (v2.1), 97393c27195c58f8e4acc9312a4c36818fe78f2ddce7ccba47f77a5ca42eab65 (v2.0)
- [Domains] NOVABLIGHT dashboard and API endpoints – api.nova-blight.top, shadow.nova-blight.top, nova-blight.site, nova-blight.xyz, bamboulacity.nova-blight.xyz
- [File Names] Malware scripts and executables – DisableWD.bat (Windows Defender disable script), Bighead.avi (webcam video output), files.zip (archived exfiltrated sensitive files)
Read more: https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes