Analysis of Nova: A Snake Keylogger Fork

Editor’s phrase: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and menace intelligence analyst. You may discover Mostafa on X and LinkedIn. 

On this malware analysis report, we’ll delve into Nova, a newly discovered fork of the Snake Keylogger family. This variant has been seen utilizing far more refined methods, signaling the continued adaptation and persistence of the Snake malware family inside the cybersecurity panorama. 

Overview of Snake Keylogger 

Snake Keylogger, a .NET-based malware first acknowledged in November 2020, is infamous for its credential-stealing and keylogging capabilities.

Study in-depth analysis of Snake Keylogger

It primarily spreads by means of phishing and spearphishing campaigns, the place malicious Office paperwork or PDFs are used to ship downloader scripts by PowerShell. As quickly as executed, Snake Keylogger captures keystrokes, steals saved credentials, takes screenshots, and extracts clipboard information. 

As of 2024, Snake Keylogger has continued to evolve, adopting superior evasion methods much like course of hollowing and carefully obfuscated code to avoid detection.  

This variant makes use of a suspended toddler course of to inject its payload, which makes it more durable for security software program program to determine and neutralize. Furthermore, tales level out that Snake Keylogger has grown additional prevalent, with vital spikes in zero-day detections, suggesting its ongoing menace to every personal and firm cybersecurity. 

Technical Analysis Using ANY.RUN Sandbox 

Let’s run a sandbox analysis session using ANY.RUN’s Interactive Sandbox to seek out the technical particulars of this malware.  

View analysis session 

Throughout the HTTP Requests tab, we’ll see that Nova sends HTTP Requests to hxxp[://]checkip[.]dyndns[.]org/ to get the IP of the sufferer system: 

In DNS requests tab, Nova makes DNS requests to reallyfreegeoip[.]org to get the nation title of the sufferer system: 

Unpacking 

Nova keylogger makes use of a protector written in AutoIt. There are a variety of strategies to unpack it: 

1. Decompiling the executable to AutoIt script (.au3) 

2. Executing the sample and letting it unpack itself inside the memory, then dumping the tactic. This can be completed with the help of the following devices: 

• Sandbox 
• Unpacme
• Pe-sieve 

Be taught to unpack malware

Based mostly on Unpacme, the unpacked sample is obfuscated using the Web Reactor Obfuscator: 

Exeinfo moreover confirms this: 

The presence of fairly a number of empty capabilities strongly suggests obfuscation, which aligns with the devices’ analysis. 

To deal with this, we’ll use NETReactorSlayer for deobfuscation. 

NETReactorSlayer carried out exceptionally correctly on this exercise, effectively deobfuscating the sample. 

Deep Analysis 

Nova is ready to extracting delicate information from quite a lot of sources, along with:

• Browsers: Chrome, Brave, Opera, Firefox, Edge, and lots of others.
• Emaial Consumers: Outlook, Foxmail, Thunderbird.
• FTP Consumers: Filezilla.

It should probably moreover retrieve and decode the House home windows product key.

Let’s take a extra in-depth take a look at these functionalities to know their implications and the depth of Nova’s capabilities. 

Extracting and Decrypting Outlook Passwords №

Nova performs the following steps to extract and decrypt Outlook passwords: 

1. Initialization 

• Creates a list to retailer recovered account particulars. 
• Prepares an array of strings representing the password varieties to hunt for inside the House home windows registry. 

2. Accessing registry keys 

Nova opens the following registry keys, which are recognized to retailer Outlook profile information: 

• Software program programMicrosoftWorkplace15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676 
• Software program programMicrosoftHome home windows NTCurrentVersionHome home windows Messaging SubsystemProfilesOutlook9375CFF0413111d3B88A00104B2A6676 
• Software program programMicrosoftHome home windows Messaging SubsystemProfiles9375CFF0413111d3B88A00104B2A6676 
• Software program programMicrosoftWorkplace16.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676 

3. Iterating by means of registry keys and subkeys 

• Nova scans the registry keys and their subkeys, checking for entries containing e-mail or password information. 
• If such entries are found, Nova makes an try to decrypt the password using the decryptOutlookPassword methodology. 

4. Decrypting passwords 

The decryptOutlookPassword methodology performs the following actions: 

• Takes the encrypted Outlook password as a byte array. 
• Removes the first byte from the array. 
• Decrypts the remaining information and converts it to a readable string. 
• Strips any null characters from the following string sooner than returning it. 

5. Retrieving account particulars 

It retrieves the e-mail value and converts it to a byte array using GetBytes. 

Then, it retrieves the SMTP server value, if on the market and gives the recovered account particulars to the guidelines. 

Extracting and Decrypting Browser Login Knowledge 

Quite a few capabilities exist for extracting browser login credentials. For this analysis, we’ll give consideration to Chrome_Speed, which targets Google Chrome’s saved login information. 

1. Discovering the Login Data file 

Chrome_Speed constructs the path to the Login Data SQLite file, the place Chrome retailers saved login credentials. Then verifies the existence of the Login Data file sooner than persevering with. 

2. Retrieving Login entries 

It loops by means of each login entry, retrieving the origin_url, username_value, and password_value. 

3. Decrypting passwords 

If passwords are saved in Mannequin 10 format, it makes use of the grasp key for decryption. For older codecs, an alternate decryption methodology, Decrypttttt, is employed. 

Key Methods Analyzed 

Let’s analyze GetMasterKey and Decrypttttt methods: 

1. GetMasterKey 

GetMasterKey retrieves and decrypts the grasp key utilized by Google Chrome to protect saved passwords. It reads the encrypted grasp key from the Native State file positioned inside the Chrome shopper information itemizing, then decrypts it for added use. 

The strategy begins by creating the path to the Native State file, which retailers the encrypted grasp key. 

It first checks for the existence of the Native State file; if the file is absent, the tactic returns null. 

Upon confirming the file’s presence, the contents are study, and a each day expression is employed to extract the encrypted grasp key. 

The tactic iterates by means of the matches to remodel the encrypted key from a Base64 string proper right into a byte array. 

Notably, a model new byte array is created that excludes the first 5 bytes of the distinctive array, as these bytes do not form half of the actual key. 

Lastly, the tactic makes an try to decrypt the trimmed key using the ProtectedData.Unprotect methodology, which is designed to decrypt information that has been secured with the ProtectedData.Defend methodology. 

The Unprotect methodology is a carry out that decrypts information protected by the House home windows Data Security API (DPAPI). It first checks if the enter information is professional and applicable with NT-based applications.  

The tactic then pins the memory of the encrypted information and any non-compulsory entropy to avoid factors all through decryption.  

It calls CryptUnprotectData to decrypt the data and handles errors by throwing exceptions when needed.  

Lastly, it clears delicate information from memory sooner than releasing sources. 

2. Decrypttttt 

Decrypttttt methodology is a carry out that decrypts a byte array using the House home windows Data Security API (DPAPI). 

It begins by initializing information constructions to hold the encrypted information and the decrypted output. 

The tactic pins the enter byte array in memory to cease the garbage collector from shifting it all through decryption. 

After establishing the required constructions, it calls CryptUnprotectData API to hold out the decryption. 

As quickly as the data is decrypted, the tactic copies the output right into a model new byte array, converts it to a string, and removes any trailing null characters. 

Lastly, it returns the decrypted string, guaranteeing right coping with of delicate information all by the tactic. 

Let’s get once more to Chrome_Speed carry out  

It combines the URL, username, and password proper right into a formatted string: 

"rn============X============rnURL: " 

    "rnUsername: " 

    "rnPassword: " 

    "rnApplication: Google Chromern=========================rn "

The formatted string is appended to a set of saved credentials for added use or exfiltration. 

Extracting House home windows Product Key 

The strategy of extracting the House home windows product key consists of accessing the system registry and decoding the DigitalProductID. Proper right here’s an in depth breakdown: 

First it opens “Software program programMicrosoftHome home windows NTCurrentVersion” registry key 

• Fetching DigitalProductID 

Then, the DigitalProductID is fetched from the registry as a byte array. This ID is used to generate the House home windows product key. 

• Extracting associated bytes 

A particular portion of the DigitalProductID is copied right into a model new byte array. 

The product secret is derived from bytes starting at index 52 inside the sourceArray. 

• Decoding the product key 

The outer loop runs 25 events (from 0 to 24) to form the product key. The inside loop processes each byte in reverse (from 14 to 0) to decode and generate the corresponding characters. 

• Formatting the product key 

The tactic returns the formatted product key as a string (e.g., XXXXX-XXXXX-XXXXX-XXXXX-XXXXX) 

Getting Sufferer’s Knowledge  

The strategy gathers key particulars in regards to the sufferer, along with: 

• IP Deal with 
• Nation 
• PC Title 
• Date and Time 

It should get the sufferer’s IP by making a request to: hxxp[://]checkip[.]dyndns[.]org/ 

The nation information is retrieved by querying:  hxxps[://]reallyfreegeoip[.]org/xml/ 

Data format 

The collected information is structured in a formatted string for added use: 

Getting Clipboard Data 

The strategy of extracting information from the clipboard consists of the following steps: 

• IsClipboardFormatAvailable checks if the clipboard accommodates textual content material in Unicode format 

• OpenClipboard opens the clipboard to allow examination and retrieval of information 

• GetClipboardData retrieves the data take care of from the clipboard inside the specified format 

Exfiltration 

Nova helps three information exfiltration methods: FTP, SMTP, or Telegram, counting on the configuration set by the malware author. 

It compares the UltraSpeed.QJDFjPqkSr value in direction of explicit flags: 

• “#FTPEnabled”: If true, information is exfiltrated by FTP. 
• “#SMTPEnabled”: If true, information is exfiltrated by SMTP. 
• “#TGEnabled”: If true, information is exfiltrated by Telegram. 

On this express sample, the exfiltration methodology is Telegram: 

As we see, there aren’t any credentials provided for SMTP and FTP servers:

Telegram Exfiltration 

The code accountable for exfiltration by means of Telegram consists of particulars regarding the bot and its endpoint for sending information: 

Telegram API endpoint: hxxps[://]api[.]telegram[.]org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI 

JSON Responses from the Telegram Bot API 

The provided images showcase JSON responses retrieved from the Telegram Bot API. These responses comprise detailed particulars about bots which could be instantly associated to the NOVA family of malware. 

Code Reference to “NOVA” 

The malware’s provide code explicitly mentions “NOVA”, reinforcing its attribution to this explicit malware family. 

Conclusion 

The Nova variant of the Snake Keylogger represents an enormous evolution of its predecessor, with superior evasion methods and a broader array of information exfiltration capabilities.  

Written in VB.NET, Nova leverages obfuscation methods much like Web Reactor Obfuscator and makes use in fact of hollowing to evade detection, making it a additional persistent and stealthy menace. By its refined methods, along with credential harvesting from every kind of browsers, e-mail purchasers, and completely different delicate information, Nova demonstrates its means to give attention to every personal and firm applications efficiently. 

The malware is ready to extracting quite a lot of worthwhile information, along with saved passwords, financial institution card particulars, and system keys, from every browsers and e-mail purchasers. In addition to, its means to assemble information from a sufferer’s clipboard and exfiltrate it by a variety of channels—much like FTP, SMTP, or Telegram—demonstrates its adaptability and adaptability. 

Whereas the utilization of Telegram as a result of the exfiltration methodology on this explicit sample reveals a shift within the course of additional covert communication, the facility to switch exfiltration methods permits the malware to avoid detection by security applications which will block positive channels. The malware’s integration with widespread devices like Telegram moreover signifies its use in large-scale, automated cybercrime actions, making it a crucial menace to organizations and folks alike. 

About ANY.RUN

ANY.RUN helps better than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that concentrate on every House home windows and Linux applications. Our menace intelligence merchandise, TI Lookup, YARA Search and Feeds, help you uncover IOCs or info to review additional regarding the threats and reply to incidents faster.  

With ANY.RUN you could: 

• Detect malware in seconds
• Work along with samples in precise time
• Save time and cash on sandbox setup and maintenance
• Doc and study all sides of malware habits
• Collaborate alongside along with your workforce 
• Scale as you need

Get a 14-day free trial to verify all choices of ANY.RUN’s Interactive Sandbox →

IOCs

Nova:  

68f5247bd24e8d5d121902a2701448fe135e696f8f65f29e9115923c8efebee4  

Dropped info 

C:UsersadminAppDataLocalTempfondaco afb1dae7a6f2396c3d136e60144b02dd03c59ab10704918185d12ef8c6d7ec93 

C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupneophobia.vbs 66dbb9c8deadea9f848b1b55405738d8a65a733c804f1444533607c20584643e 

C2 URL

hxxps://api[.]telegram[.]org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument 

Bot Token

7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI 

Chat ID 

5679778644 

MITRE ATT&CK Methods

Mostafa ElSheimy

Mostafa ElSheimy is a malware reverse engineer and menace intelligence analyst, specializing in analyzing TTPs (Methods, Methods, and Procedures) and crafting YARA tips to detect and counter cyber threats. Mostafa’s work focuses on dissecting malware to uncover hidden dangers and defend organizations from rising threats.

Uncover him on X and LinkedIn.

Mostafa ElSheimy

Malware Analyst

Mostafa ElSheimy is a malware reverse engineer and menace intelligence analyst, specializing in analyzing TTPs (Methods, Methods, and Procedures) and crafting YARA tips to detect and counter cyber threats. Mostafa’s work focuses on dissecting malware to uncover hidden dangers and defend organizations from rising threats.

Uncover him on X and LinkedIn.