Nova Stealer,
The Malware Made in France

Using our Cyber Threat Intelligence tool, LastInfoSec, our Purple team identified a threat from a new cybercriminal group. We decided to investigate and compile our findings in this report.

Given the constantly evolving techniques used by the group in question, some information in this article may be outdated.
Le Lab Gatewatcher D

Introduction


Nova Sentinel is a cybercriminal group offering a Stealer as a Service (StaaS), marketing an “information stealer” (refer to our Cyber Threat Barometer 2023) developed in-house, and distributing various open-source malware. According to their Telegram channel’s creation date, the group appears to have been active since at least August 9, 2020. They primarily communicate in English, but the main actors seem to be French or at least French-speaking, as evidenced by discussions on their Telegram channel.

STUDY OF A NOVA STEALER SAMPLE


Nova Stealer is an information stealer developed and marketed by the Nova Sentinel group in JavaScript, using the Electron framework for code compilation. Its capabilities include stealing credentials stored in most browsers, session theft for platforms like Discord and Steam, and information theft related to cryptocurrency wallets.

Since this stealer is marketed as a service, a shop is available for purchasing licenses: formerly on the Sellix platform (https://novasentinel[.]mysellix.io), and after the shop’s closure, on the Sellpass platform (https://novasentinel[.]sellpass.io/products).

Boutique Du Groupe Nova Sentinel Vendant Un Accès Au Nova Stealer
Nova Sentinel Group Store Selling Access to Nova Stealer

For studying a sample of this stealer, we will use an executable masquerading as a game, available on dualcorps[.]fr (note, this site collects the IP address of all visitors).

This site poses as a platform offering a free game download, behind which hides our info stealer.

The stealer then sends the collected information to a Discord webhook. A webhook is a method allowing an application to provide real-time information to another application. Unlike traditional APIs that require the client to poll the server for data, a webhook allows the server to send data to the client whenever a certain event occurs.

DYNAMIC ANALYSIS


Dynamic analysis of malware helps understand its behavior in real-time when executed in a controlled environment.

From a quick analysis, the malware creates a large number of processes to obfuscate its actions. These processes collect some information about the infected system and retrieve the antivirus solution available on the machine.

We also observe connections to ipinfo.io (to retrieve the victim’s IP), github.com (to retrieve third-party scripts, such as PowerShell-Red-Team), and especially to hawkish[.]fr (for data extraction). Note that all connections are encrypted.

DATA EXTRACTION


When visiting hawkish[.]fr, we find a simple Capture The Flag-type site. However, by creating an account, we access a third-party part of the site, offering the possibility to enter a Discord webhook. This action generates an API endpoint to integrate during the stealer’s compilation.

 

Bouton Hawkish Grabber Permettant La Création De Son Url D’api
Hawkish Grabber Button Enabling the Creation of Its API URL

 

Après Avoir Fourni Un Webhook Discord, L’utilisateur Récupère L’url à Rentrer Lors Du Build De Son Stealer.
After providing a Discord webhook, the user retrieves the URL to enter during the build of their stealer

 

This anonymizes all returns, first passing through the API owned by the Nova Sentinel group.

The problem with this method is that the group theoretically has access to all the data collected by the users’ stealers. Since the hawkish[.]fr site acts as an intermediary between the stealer and the malicious user, we can only assume that everything passing through the Nova Sentinel site is stored.

Upon receiving the data, the user can see the victim’s IP address, location, information about the infected system, and a summary of what has been collected. Finally, a link is available to download the results via the GoFile platform.

Exemple De Résultats Reçu Sur Un Canal Discord
Example of Results Received on a Discord Channel

 

The file name to download is defined as follows:

<COUNTRY_CODE>_NOVA_<victim_username>.zip 

And the URL in the form: https://gofile.io/d/XXXXXX 

 

Example of data collected from a victim:

Arborescence Du Fichier Zip Contenant Les Informations Volées De La Victime
File Tree of the ZIP Containing the Victim’s Stolen Information

The main objective of an info stealer is to retrieve passwords and cookies stored in the victim’s browsers. However, Nova exceeds these basic functionalities. Indeed, this stealer also retrieves configuration files from certain games and their managers installed on the computer. Additionally, in the system folder, the malware returns the list of antivirus software installed on the machine and information about the system, such as hardware, operating system, IP, and even the registered Windows key. A screenshot of the victim’s screen at the time the malicious file is executed is also included.

STATIC ANALYSIS: REVERSE ENGINEERING


Static analysis of malware involves examining its source code and structure without execution, to identify signatures or indicators of compromise.

During the static analysis of the “Dual Corps.exe” file using the Detect It Easy tool, we see that it is an installation executable. By extracting the executable after installation, it is noted that the Electron framework was used for developing the stealer.

Récupération Des Informations Sur Le Fichier De Base Et Après Extraction
Retrieving Information from the Base File and After Extraction

 

With this information at hand, it becomes relatively easy to retrieve the application’s source code: simply decompress the file.

Processus De Décompression Pour Récupérer Le Fichier App.asar
Decompression Process to Retrieve the App.asar File

We are left with “app.asar,” which contains the JavaScript code of the executable. To retrieve it, you can use a 7zip plugin.

Processus De Récupération Du Code Source
Source Code Retrieval Process

Opening the bundle.js file, we access the application’s source code, which is obfuscated.

This manual process can be automated using an unpacker developed by our team:

https://github.com/Gatewatcher/nova_unpacker

DEOBFUSCATING THE CODE


Deobfuscation is a slow and tedious process meant to slow down the study of source code. Therefore, we will not go into details.

Partie Du Code Obfusqué
Part of the Obfuscated Code

After manual deobfuscation, we end up with a JS script composed of over 500 lines of long and complex code. However, only part of the deobfuscated code is really relevant to our analysis.

Partie Du Code Obfusqué Contenant Du Code Javascript En Clair
Part of the Obfuscated Code Containing Clear JavaScript Code

In this more or less readable portion of the code, we notice that it is actually third-party modules loaded into variables that will be used later.

A dynamic code analysis allowed us to retrieve 21 additional modules, entirely clear. The admin.js module finally allows us to retrieve the stealer’s configuration.

Config

 

Explanation of the Configuration: Builder Study

The builder – software used to create and customize malicious software by generating unique variants with different features and evasion techniques – is also developed using the Electron library. Retrieving the source code follows the same process as previously seen. Additionally, the code is not obfuscated this time, greatly facilitating its understanding.

Page De Connexion Au Builder
Builder Login Page

During the builder’s execution, authentication is required. A priori, the submission of the Discord ID is unnecessary, as proven by the JavaScript code present on the page.

Code Source Pour L’authentification Au Service Du Builder
Source Code for Builder Service Authentication

However, a “nova token” allows access to the builder’s features.

Code Source Montrant La Vérification Du Nova Token
Source Code Showing the Verification of the Nova Token

This token is sent to the URL https://hawkish[.]fr/grabber/nova/login_by_token, which presumably verifies the code and, if valid, leads the user to the builder.

Première Page Du Builder
First Page of the Builder
Deuxième Page Du Builder
Second Page of the Builder
Troisième Page Du Builder
Third Page of the Builder

Here we find some visible variables in the stealer’s configuration.

After entering this information, it is sent to http://87[.]106.121.77:3000/cacagrossebite/kschleplusbeau/mazette. A download link for the executable is then provided.

GROUP’S OBJECTIVES


The primary objective of the group is likely financial, similar to any group offering Malware as a Service (MaaS). However, it is also worth noting that the group theoretically has access to all information collected by the stealer. By commercializing Nova Stealer, Nova Sentinel could thus access a large amount of private information on stealer victims while generating revenue by selling access to the API.

Annex


Nova Sentinel Hierarchy

Hiérarchie De Nova Sentinel
Hierarchy of Nova Sentinel

 

IOCs

Ioc

 

Author: Nicolas M. F., Purple Team