Security researchers have uncovered Nova, a sophisticated evolution of the Snake Keylogger malware family, demonstrating advanced data stealing capabilities and improved evasion techniques.
This new variant represents a significant advancement in malware development, posing increased risks to both personal and enterprise systems.
Snake Keylogger, a .NET-based malware discovered in November 2020, is known for stealing credentials and logging keystrokes.
It spreads mainly through phishing campaigns using malicious Office documents or PDFs that deliver downloader scripts via PowerShell. Once active, it records keystrokes, steals saved credentials, captures screenshots, and extracts clipboard data.
By 2024, Snake Keylogger has advanced its tactics with techniques like process hollowing and heavily obfuscated code to evade detection. It now uses a suspended child process to inject its payload, making it harder for security tools to detect and block. Reports show its prevalence is increasing, posing a growing risk to personal and corporate cybersecurity.
Are You From SOC/DFIR Teams? Try all features of ANY.RUN’s Interactive Sandbox for free
Technical Insights from ANY.RUN Sandbox
Nova, written in VB.NET, employs multiple layers of protection, including the Net Reactor Obfuscator and AutoIt-based protectors. The malware utilizes process hollowing techniques to inject its payload into suspended processes, making detection more challenging for security solutions.
One of the key advancements in Nova involves its use of process hollowing, where it injects its payload into a suspended child process, making it harder for antivirus programs to detect.
Additionally, Nova employs heavily obfuscated code, using tools like Net Reactor Obfuscator to disguise its operations further. Reports from 2024 highlight a significant increase in zero-day detections related to this malware, underscoring its growing threat level.
Analysis conducted in the ANY.RUN Interactive Sandbox reveals Nova’s behavior in detail with this session.
The malware initiates HTTP requests to services like checkip.dyndns.org to ascertain the victim’s IP address and uses DNS requests to reallyfreegeoip.org to determine the country location of the infected device.
Key technical features include:
- Comprehensive credential harvesting from major browsers including Chrome, Firefox, Edge, and Opera
- Email client targeting capabilities for Outlook, Thunderbird, and Foxmail
- Advanced Windows product key extraction through registry manipulation
- Sophisticated clipboard monitoring and data exfiltration systems
Analyze malware and phishing with ANY.RUN’s Interactive Sandbox – Try for Free
Data Exfiltration Methods
The malware features a versatile exfiltration framework that utilizes three main channels: Telegram API integration, FTP transfer capabilities, and SMTP-based exfiltration.
Analysis indicates active use of Telegram bots for command and control purposes, with identified bot handles such as “skullsnovabot,” “onumenbot,” and “santigeebot.”
Nova’s information gathering capabilities extend beyond basic keylogging, incorporating:
- Geolocation tracking through reallyfreegeoip.org
- IP address verification via checkip.dyndns.org
- System information collection including PC name and temporal data
- Automated password decryption for multiple applications
This evolution in the Snake malware family represents a concerning trend in malware sophistication. The combination of advanced evasion techniques with comprehensive data theft capabilities makes Nova a significant threat to organizational security.
“The emergence of Nova demonstrates the continuous evolution of cyber threats,” security researchers note. “Its enhanced capabilities and evasion techniques make it particularly challenging to detect and mitigate.”
Get a 14-day free trial to test all features of ANY.RUN’s Interactive Sandbox