A complicated new risk has emerged within the cybercriminal panorama, masquerading as an academic device whereas orchestrating large-scale credential theft and pockets compromise operations.
NOVABLIGHT, a NodeJS-based Malware-as-a-Service (MaaS) info stealer, represents a regarding evolution in cybercrime accessibility, permitting just about anybody to deploy superior information theft capabilities with minimal technical experience.
The malware marketing campaign, initially found by faux online game installer downloads, demonstrates the rising development of cybercriminals leveraging legitimate-seeming purposes to distribute malicious payloads.
Menace actors behind NOVABLIGHT have strategically positioned their product as an academic device, regardless of clear proof of its malicious intent and business distribution by underground marketplaces.
NOVABLIGHT’s product web page on Billgang (Supply – Elastic)
The misleading advertising and marketing strategy has enabled widespread adoption amongst cybercriminals in search of ready-made options for credential harvesting and cryptocurrency theft.
Elastic analysts recognized NOVABLIGHT as the newest creation of the Sordeal Group, the identical risk actors chargeable for Nova Sentinel and MALICORD.
The group demonstrates French-language proficiency of their operational communications, conducting enterprise primarily by Telegram and Discord platforms the place they provide annual licenses and supply technical assist to their legal clientele.
This skilled strategy to malware distribution has reworked cybercrime from a specialised ability right into a readily accessible service.
The malware’s assault vectors primarily give attention to social engineering strategies, with researchers documenting campaigns utilizing faux online game installers as preliminary entry vectors.
Touchdown web page for gonefishe[.]com (Supply – Elastic)
One notable instance concerned the area http://gonefishe[.]com, which prompted customers to obtain what seemed to be a legit French-language sport installer corresponding to not too long ago launched Steam titles.
This strategy capitalizes on customers’ belief in gaming platforms whereas delivering a complete information theft payload.
An infection Mechanism and Persistence Structure
NOVABLIGHT employs a complicated multi-stage an infection course of designed to ascertain persistent entry whereas evading detection mechanisms.
The malware’s structure follows a transparent pipeline construction, starting with pre-flight checks that assess the goal surroundings for digital machines, debugging instruments, and safety software program.
Dashboard on the NOVABLIGHT net panel (Supply – Elastic)
The preliminary section, designated as “movement/init,” performs complete system enumeration whereas establishing communication with command-and-control infrastructure hosted throughout a number of domains together with api.nova-blight[.]high and shadow.nova-blight[.]high.
The persistence mechanism incorporates a number of superior strategies, together with registry manipulation to disable Home windows security measures and Activity Supervisor entry.
The malware makes an attempt to switch the registry key HKCUSoftware programMicrosoftHome windowsCurrentVersionInsurance policiesSystem by setting the DisableTaskMgr worth to 1, successfully stopping customers from simply terminating malicious processes.
Moreover, NOVABLIGHT implements file system modifications utilizing the icacls command: icacls “${filePath}” /deny ${currentUser}:(DE,DC) the place DE denies delete rights and DC prevents deletion by guardian folder operations.
The malware’s clipboard monitoring performance represents one in every of its most insidious capabilities, repeatedly scanning for cryptocurrency pockets addresses and PayPal transaction particulars.
When detecting matching patterns, NOVABLIGHT replaces legit addresses with attacker-controlled alternate options, as demonstrated within the configuration flag swapWallet.energetic.
This clipper module ensures that monetary transactions initiated by victims are redirected to cybercriminal-controlled accounts, usually with out quick detection by the sufferer.
NOVABLIGHT’s information exfiltration capabilities lengthen past easy credential theft, incorporating complete system profiling, webcam recording, and focused utility injection.
The malware particularly targets Electron-based purposes together with Discord, Exodus pockets, and Mullvad VPN consumer, dynamically fetching injection payloads from https://api.nova-blight[.]high/injections/ endpoints.
This modular strategy ensures that the malware stays efficient towards up to date purposes whereas sustaining operational flexibility for risk actors in search of particular goal profiles.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
