The cybersecurity landscape is consistently shaped by increasingly sophisticated threats, and the latest to garner significant attention is Nova Stealer – a meticulously crafted malware campaign specifically targeting macOS users and their cryptocurrency holdings. What’s particularly concerning isn’t simply the theft of funds, but the level of technical finesse employed by the attackers, demanding a thorough understanding of macOS internals and a keen awareness of cryptocurrency wallet security protocols.
Initial analysis, spearheaded by researchers at BruceKetta.space, reveals a modular design, a characteristic increasingly seen in advanced malware, allowing for adaptability and scalability within the attack vector. The infection chain begins with the execution of a dropper script, mdriversinstall.sh, downloaded from a command-and-control (C&C) server – hxxps://ovalresponsibility[.]com/mdriversinstall[.]sh. This script initiates a layered approach, leveraging core macOS functionalities to achieve persistence and data exfiltration.
Upon execution, the malware creates a hidden directory, ~/.mdrivers, and installs several key components. Crucially, it generates a unique user ID using uuidgen and stores it in ~/.mdrivers/user_id.txt. This identifies infected machines, allowing for targeted follow-up attacks. The core orchestration is handled by mdriversmngr.sh, which downloads additional modules – encoded in base64 format – and stores them in ~/.mdrivers/scripts.
A particularly stealthy technique employed is the use of detached screen sessions via the screen -dmS command. This creates background processes that persist even after user logout, masking their activity and significantly complicating detection. The malware’s sophistication extends to simulating legitimate applications; specifically, it detects the presence of Ledger Live and Trezor Suite within the /Applications/ directory and, upon confirmation, systematically removes the original applications using rm -rf and deletes their associated database entries via SQLite commands. This swap is then replaced with meticulously crafted fake applications, utilizing Swift and WebKit to present convincing phishing interfaces.
The fake applications are designed to closely mimic the appearance of the genuine wallet applications, incorporating validation against BIP-39 and SLIP-39 word lists to provide intelligent auto-complete functionality – a detail designed to heighten the illusion of legitimacy. The truly alarming aspect of Nova Stealer lies in the data collection process during this deception. When a user enters their recovery words, the JavaScript code doesn’t simply transmit the complete phrase; instead, it utilizes a strategically implemented delay – a 200-400ms pause after each keystroke – to capture partial phrases in real-time. This allows the attackers to incrementally gather the seed phrase, reducing the window of opportunity for recovery.
Beyond the phishing interface, Nova Stealer incorporates dedicated modules for data exfiltration. The mdriversfiles.sh component actively searches for and extracts sensitive data, including Trezor IndexedDB logs, Exodus files like passphrase.json and seed.seco, and Ledger’s app.json. This data is then uploaded to the C&C server every 20 hours via binary POST requests. Further complicating matters, the mdriversmetrics.sh component collects detailed system information – installed applications, running processes, and Dock items – enabling the attackers to profile their targets and refine their attack strategies.
The modular design, coupled with the sophisticated techniques of data collection and exfiltration, paints a clear picture of a meticulously engineered malware campaign. Understanding the inner workings of Nova Stealer – its use of detached screen sessions, its methodical replacement of legitimate applications, and its real-time interception of seed phrases – is paramount to developing effective defensive strategies. The continued monitoring and analysis of this threat, alongside proactive security practices within the macOS ecosystem, remain crucial in mitigating the risk of future attacks.