Executive Summary

Security researchers have identified a new malware strain named 'Nova Stealer' that is specifically designed to target Apple macOS systems. This information stealer functions as a trojan, replacing legitimate applications with compromised versions to gain execution on a victim's machine. Once active, Nova Stealer scours the file system for cryptocurrency wallet data and other sensitive information, which it then exfiltrates to an attacker-controlled server. The emergence of Nova Stealer is another data point in the growing trend of sophisticated malware development for macOS, signaling that Mac users are increasingly in the crosshairs of cybercriminals.

Threat Overview

• Malware: Nova Stealer
• Malware Type: Information Stealer / Trojan
• Target Platform: Apple macOS
• Primary Objective: Steal cryptocurrency wallets and other sensitive data.
• Infection Vector: The malware is distributed by trojanizing legitimate applications. Users are likely tricked into downloading these malicious versions from third-party websites, torrents, or through social engineering.

Technical Analysis

Nova Stealer employs a classic trojan horse strategy. The attack chain is as follows:

1. Distribution: The attacker packages the Nova Stealer payload within a legitimate macOS application and distributes it through unofficial channels.
2. Execution: The user downloads and runs the trojanized application. The legitimate application may run as expected to avoid suspicion, while the malicious payload executes in the background.
3. Persistence (Hypothesized): The malware likely establishes persistence to survive reboots, possibly by creating a LaunchAgent or LaunchDaemon plist file in /Library/LaunchAgents/ or ~/Library/LaunchAgents/.
4. Discovery: The stealer searches for specific files and directories associated with popular cryptocurrency wallets (e.g., Exodus, Electrum, MetaMask browser extension data) and other valuable information like browser cookies, saved passwords, and SSH keys.
5. Exfiltration: The collected data is compressed and sent to a remote command-and-control (C2) server.

Probable MITRE ATT&CK TTPs:

• Initial Access: T1189 - Drive-by Compromise (if downloaded from a malicious site) or T1204.002 - Malicious File.
• Execution: T1204.002 - User Execution: Malicious File.
• Persistence: T1543.001 - Create or Modify System Process: LaunchAgent.
• Credential Access: T1555.003 - Credentials from Web Browsers and T1552.001 - Credentials In Files.
• Collection: T1560 - Archive Collected Data and T1005 - Data from Local System.
• Command and Control: T1071.001 - Application Layer Protocol: Web Protocols for exfiltration.

Impact Assessment

The primary impact is the direct financial loss from stolen cryptocurrency. Depending on the value stored in the compromised wallets, this could be substantial. Additionally, the theft of browser data, including saved passwords and session cookies, can lead to the compromise of numerous other online accounts, such as email, social media, and financial services. This can result in follow-on attacks, identity theft, and further financial fraud.

IOCs

No specific Indicators of Compromise (IOCs) like file hashes or C2 domains were provided in the source articles.

Detection & Response

• Endpoint Security: Use a reputable endpoint security solution for macOS that can detect and block known malware like Nova Stealer. Look for products that use behavioral analysis to spot suspicious activities, such as an application suddenly accessing sensitive file paths. This aligns with D3FEND's File Analysis (D3-FA).
• Monitor Network Traffic: Monitor for unexpected outbound connections from unusual processes. If a seemingly benign application is making network connections to an unknown IP address, it warrants investigation.
• Process Monitoring: Look for suspicious processes running from unexpected locations or applications spawning shell scripts to search the file system.

Mitigation

• Download from Official Sources: The most effective mitigation is to only download applications from the official Mac App Store or directly from the developer's trusted website (M1033 - Limit Software Installation). Avoid third-party aggregators and torrent sites.
• Use Gatekeeper: Ensure macOS's Gatekeeper feature is enabled and configured to only allow apps from the App Store and identified developers. This prevents the execution of unsigned or unnotarized code.
• Endpoint Protection: Install and maintain an up-to-date antivirus or EDR solution for macOS (M1049 - Antivirus/Antimalware).
• Cold Storage for Crypto: For significant cryptocurrency holdings, use a hardware wallet (cold storage) that is not persistently connected to the computer, making it immune to information-stealing malware.