Summary: The NOVA campaign involves distributing a sophisticated stealer malware via phishing emails disguised as legitimate contracts. Once executed, NOVA employs various persistence mechanisms, captures sensitive data, and can disable security features on the infected system. It is marketed as Malware-as-a-Service (MaaS), making it accessible to a wide range of cybercriminals.
Affected: Organizations targeted by phishing attacks and users of Windows systems
Keypoints :
- Adversaries send NOVA as archive attachments in phishing emails, disguising them as contracts.
- NOVA gains persistence using Windows Task Scheduler and adds itself to the Microsoft Defender exclusions list.
- The stealer captures keystrokes, screenshots, and saved credentials, exfiltrating data via SMTP.
- NOVA is marketed through a Telegram group, offering various licenses for the stealer and a cryptor.
Source: https://bi.zone/eng/expertise/blog/nova-khorosho-zabytoe-staroe/