A brand new malware marketing campaign concentrating on macOS customers has emerged with a harmful give attention to cryptocurrency pockets theft.
The malware, known as Nova Stealer, makes use of a intelligent strategy to trick victims by changing real cryptocurrency functions with pretend variations that steal pockets restoration phrases.
This bash-based stealer has been recognized attacking customers of standard cryptocurrency wallets, together with Ledger Stay, Trezor Suite, and Exodus.
The assault begins when an unknown dropper downloads and runs a script known as mdriversinstall.sh from the command-and-control server at hxxps://ovalresponsibility[.]com/mdriversinstall[.]sh.
This preliminary script creates a hidden listing at ~/.mdrivers and installs a number of element,s together with a script supervisor and launcher.
The malware generates a novel consumer ID utilizing the uuidgen command and shops it in ~/.mdrivers/user_id.txt to trace contaminated techniques.
BruceKetta.house safety researchers recognized the Nova Stealer marketing campaign and famous its modular design. The malware makes use of an orchestrator script known as mdriversmngr.sh that downloads extra modules from the command-and-control server.
These modules come encoded in base64 format and are saved underneath ~/.mdrivers/scripts. The malware achieves persistence by making a LaunchAgent plist file labeled utility.com.artificialintelligence that ensures the scripts run routinely at each system startup.
One significantly attention-grabbing approach utilized by Nova Stealer is operating scripts inside indifferent display screen periods utilizing the command display screen -dmS .
This strategy retains the malicious processes operating independently within the background, hidden from the consumer’s view. The processes even survive when customers sign off as a result of they run as daemon periods with the -dmS flag.
Utility Swapping and Seed Phrase Theft
Nova Stealer’s most harmful functionality entails swapping reliable cryptocurrency pockets functions with pretend variations.
The malware element mdriversswaps.sh detects if Ledger Stay or Trezor Suite are put in on the system by checking paths in /Functions/.
When discovered, the script removes the unique functions utilizing rm -rf and deletes their Launchpad database entries via SQLite instructions like DELETE FROM apps/gadgets the place title or ids match.
Nova (Supply – BruceKetta.house)
The malware then downloads malicious substitute functions from particular domains, together with hxxps://wheelchairmoments[.]com for pretend Ledger Stay and hxxps://sunrisefootball[.]com for pretend Trezor Suite.
These ZIP archives are saved to ~/Library/LaunchAgents/ and extracted to interchange the unique functions. The malware modifies the Dock configuration utilizing /usr/libexec/PlistBuddy to delete the previous app entry and add a brand new one pointing to the pretend utility.
The pretend pockets functions use Swift and WebKit to render phishing pages that look reliable. When victims open what they imagine is their pockets utility, they see a restoration interface asking them to enter their seed phrases.
The malicious JavaScript code contains validation in opposition to BIP-39 and SLIP-39 phrase lists to offer auto-complete performance, making the pretend interface really feel genuine.
Faux app execution (Supply – BruceKetta.house)
As customers kind their restoration phrases, the info is distributed to endpoints /seed and /seed2 with a 200-400ms delay after every keystroke, permitting attackers to seize partial phrases in real-time with out ready for last submission.
Nova Stealer additionally runs devoted exfiltration modules. The mdriversfiles.sh element searches for and steals pockets information, together with Trezor IndexedDB logs, Exodus information like passphrase.json and seed.seco, and Ledger’s app.json.
These information are uploaded to the command-and-control server each 20 hours utilizing binary POST requests. Moreover, mdriversmetrics.sh collects system data, together with put in functions, operating processes, and Dock gadgets, to assist attackers profile victims and enhance their campaigns.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
