do son 
The BI.ZONE Threat Intelligence team has reported a significant ongoing campaign distributing the NOVA stealer, a new commercial variant of the SnakeLogger malware. This campaign is primarily targeting Russian organizations across various sectors.
The attackers are using phishing emails with malicious attachments disguised as contracts to spread the NOVA stealer. Interestingly, they are not using common tactics like double file extensions or fake icons to trick users.
“It is noteworthy that the attackers do not use double file extensions or fake icons to make the malicious file appear as a legitimate document,” the report states.
Once executed, the malware:
- Decodes steganographically hidden data.
- Copies itself to the AppData\Roaming directory.
- Adds itself to the Microsoft Defender exclusions list using PowerShell.
- Establishes persistence via the Windows Task Scheduler.
- Injects the NOVA stealer payload into a child process.
The NOVA stealer itself is a fork of the SnakeLogger stealer, designed to steal various types of sensitive information, including saved credentials, keystrokes, screenshots, and clipboard data. It exfiltrates the stolen data via SMTP.
The BI.ZONE report highlights that the stealer is being marketed as Malware-as-a-Service (MaaS) on underground forums, with prices starting at $50 for a 30-day license. This accessibility makes it a threat to a wide range of organizations.
