NOVABLIGHT Masquerades as Educational Tool to Steal Login Credentials and Compromise Crypto Wallets

A newly analyzed Malware-as-a-Service (MaaS) infostealer, NOVABLIGHT, has emerged as a significant cybersecurity threat, targeting unsuspecting users with advanced data theft capabilities.

Developed and sold by the Sordeal Group, a threat actor demonstrating French-language proficiency, NOVABLIGHT is marketed as an “educational tool” on platforms like Telegram and Discord.

However, in-depth analysis by Elastic Security Labs reveals its true intent: a modular, feature-rich NodeJS-based malware built on the Electron framework, designed to steal sensitive information, including login credentials and cryptocurrency wallet data.

The group’s communications and operational tactics, often unredacted on their primary sales channels, expose their malicious objectives, contradicting their educational claims.

Advanced Evasion Tactics

NOVABLIGHT is distributed through deceptive campaigns, often leveraging fake video game installers as initial access lures.

One such example involves a malicious URL prompting users to download a French-language game installer mimicking a recent Steam release.

Once executed, the malware deploys a multi-stage pipeline from pre-flight checks and anti-analysis measures to data harvesting and exfiltration.

Its capabilities include sandbox detection, system sabotage, and heavy obfuscation techniques like array mapping, base91 string encoding, and control flow obfuscation, making detection and analysis challenging.

NOVABLIGHT also targets popular Electron-based applications like Discord, Exodus, and Atomic wallets, injecting malicious code to exfiltrate credentials via configurable Discord webhooks and Telegram APIs.

Additionally, it employs clipboard hijacking to substitute cryptocurrency addresses, potentially redirecting funds to attackers, and downloads tools to decrypt data from Chromium-based browsers.

Persistent Evolution

The Sordeal Group monetizes NOVABLIGHT through a subscription model, offering API keys with validity ranging from 1 to 12 months, which users can utilize to build malware instances via Telegram bots or Discord channels.

The group promotes a referral program and provides access to a dashboard hosted on domains like api.nova-blight[.]top and shadow.nova-blight[.]top for managing stolen data.

Despite its supposed educational purpose, community interactions on Telegram reveal users sharing screenshots of luxury purchases and money transfers, highlighting the malware’s real-world impact.

NOVABLIGHT’s infrastructure is notably resilient, utilizing a mix of third-party file-hosting services and dedicated backend servers for data exfiltration, ensuring operational continuity even if primary channels are disrupted.

Elastic Security Labs notes that the malware is under active development, with ongoing updates ensuring its persistence as a relevant threat.

Its alignment with MITRE ATT&CK tactics spanning execution, persistence, defense evasion, credential access, and exfiltration underscores its sophistication and the need for robust detection mechanisms, such as the YARA rules developed by Elastic to identify this activity.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!