Nova Stealer,
The Malware Made in France
Given the constantly evolving techniques used by the group in question, some information in this article may be outdated.
Introduction
Nova Sentinel is a cybercriminal group offering a Stealer as a Service (StaaS), marketing an “information stealer” (refer to our Cyber Threat Barometer 2023) developed in-house, and distributing various open-source malware. According to their Telegram channel’s creation date, the group appears to have been active since at least August 9, 2020. They primarily communicate in English, but the main actors seem to be French or at least French-speaking, as evidenced by discussions on their Telegram channel.
STUDY OF A NOVA STEALER SAMPLE
Nova Stealer is an information stealer developed and marketed by the Nova Sentinel group in JavaScript, using the Electron framework for code compilation. Its capabilities include stealing credentials stored in most browsers, session theft for platforms like Discord and Steam, and information theft related to cryptocurrency wallets.
Since this stealer is marketed as a service, a shop is available for purchasing licenses: formerly on the Sellix platform (https://novasentinel[.]mysellix.io), and after the shop’s closure, on the Sellpass platform (https://novasentinel[.]sellpass.io/products).
For studying a sample of this stealer, we will use an executable masquerading as a game, available on dualcorps[.]fr (note, this site collects the IP address of all visitors).
This site poses as a platform offering a free game download, behind which hides our info stealer.
The stealer then sends the collected information to a Discord webhook. A webhook is a method allowing an application to provide real-time information to another application. Unlike traditional APIs that require the client to poll the server for data, a webhook allows the server to send data to the client whenever a certain event occurs.
DYNAMIC ANALYSIS
Dynamic analysis of malware helps understand its behavior in real-time when executed in a controlled environment.
From a quick analysis, the malware creates a large number of processes to obfuscate its actions. These processes collect some information about the infected system and retrieve the antivirus solution available on the machine.
We also observe connections to ipinfo.io (to retrieve the victim’s IP), github.com (to retrieve third-party scripts, such as PowerShell-Red-Team), and especially to hawkish[.]fr (for data extraction). Note that all connections are encrypted.
DATA EXTRACTION
When visiting hawkish[.]fr, we find a simple Capture The Flag-type site. However, by creating an account, we access a third-party part of the site, offering the possibility to enter a Discord webhook. This action generates an API endpoint to integrate during the stealer’s compilation.
This anonymizes all returns, first passing through the API owned by the Nova Sentinel group.
The problem with this method is that the group theoretically has access to all the data collected by the users’ stealers. Since the hawkish[.]fr site acts as an intermediary between the stealer and the malicious user, we can only assume that everything passing through the Nova Sentinel site is stored.
Upon receiving the data, the user can see the victim’s IP address, location, information about the infected system, and a summary of what has been collected. Finally, a link is available to download the results via the GoFile platform.
The file name to download is defined as follows:
<COUNTRY_CODE>_NOVA_<victim_username>.zip
And the URL in the form: https://gofile.io/d/XXXXXX
Example of data collected from a victim:
The main objective of an info stealer is to retrieve passwords and cookies stored in the victim’s browsers. However, Nova exceeds these basic functionalities. Indeed, this stealer also retrieves configuration files from certain games and their managers installed on the computer. Additionally, in the system folder, the malware returns the list of antivirus software installed on the machine and information about the system, such as hardware, operating system, IP, and even the registered Windows key. A screenshot of the victim’s screen at the time the malicious file is executed is also included.
STATIC ANALYSIS: REVERSE ENGINEERING
Static analysis of malware involves examining its source code and structure without execution, to identify signatures or indicators of compromise.
During the static analysis of the “Dual Corps.exe” file using the Detect It Easy tool, we see that it is an installation executable. By extracting the executable after installation, it is noted that the Electron framework was used for developing the stealer.
With this information at hand, it becomes relatively easy to retrieve the application’s source code: simply decompress the file.
We are left with “app.asar,” which contains the JavaScript code of the executable. To retrieve it, you can use a 7zip plugin.
Opening the bundle.js file, we access the application’s source code, which is obfuscated.
This manual process can be automated using an unpacker developed by our team:
DEOBFUSCATING THE CODE
Deobfuscation is a slow and tedious process meant to slow down the study of source code. Therefore, we will not go into details.
After manual deobfuscation, we end up with a JS script composed of over 500 lines of long and complex code. However, only part of the deobfuscated code is really relevant to our analysis.
In this more or less readable portion of the code, we notice that it is actually third-party modules loaded into variables that will be used later.
A dynamic code analysis allowed us to retrieve 21 additional modules, entirely clear. The admin.js module finally allows us to retrieve the stealer’s configuration.
Explanation of the Configuration: Builder Study
The builder – software used to create and customize malicious software by generating unique variants with different features and evasion techniques – is also developed using the Electron library. Retrieving the source code follows the same process as previously seen. Additionally, the code is not obfuscated this time, greatly facilitating its understanding.
During the builder’s execution, authentication is required. A priori, the submission of the Discord ID is unnecessary, as proven by the JavaScript code present on the page.
However, a “nova token” allows access to the builder’s features.
This token is sent to the URL https://hawkish[.]fr/grabber/nova/login_by_token, which presumably verifies the code and, if valid, leads the user to the builder.
Here we find some visible variables in the stealer’s configuration.
After entering this information, it is sent to http://87[.]106.121.77:3000/cacagrossebite/kschleplusbeau/mazette. A download link for the executable is then provided.
GROUP’S OBJECTIVES
The primary objective of the group is likely financial, similar to any group offering Malware as a Service (MaaS). However, it is also worth noting that the group theoretically has access to all information collected by the stealer. By commercializing Nova Stealer, Nova Sentinel could thus access a large amount of private information on stealer victims while generating revenue by selling access to the API.
Annex
Nova Sentinel Hierarchy
IOCs
Author: Nicolas M. F., Purple Team