A new sophisticated malware called Nova Stealer is actively targeting macOS users, employing a deceptive tactic of replacing legitimate cryptocurrency applications with fake versions to steal sensitive wallet data. This malicious campaign poses a significant threat to cryptocurrency holders who rely on popular wallets like Ledger Live, Trezor Suite, and Exodus for managing their digital assets.
The attack chain begins with an unknown dropper that downloads and executes a script, mdriversinstall.sh, from a command-and-control server. Once initiated, Nova Stealer establishes persistence on the compromised system, creates user tracking mechanisms, and prepares to deploy its core functionalities, primarily focused on acquiring cryptocurrency wallet recovery phrases.
Nova Stealer: A Modular Approach to macOS Cryptocurrency Theft
Security researchers from BruceKetta.space have identified Nova Stealer, noting its modular design and sophisticated evasion techniques. The malware operates through an orchestrator script, mdriversmngr.sh, which is responsible for downloading additional modules from its command-and-control infrastructure. These modules are delivered in base64 encoded format and stored within a hidden directory, ~/.mdrivers/scripts.
To ensure its continuous operation, Nova Stealer establishes persistence by creating a LaunchAgent plist file named application.com.artificialintelligence. This ensures that the malicious scripts are automatically executed every time the macOS system starts up. Furthermore, the malware utilizes detached screen sessions, employing the command screen -dmS . This allows malicious processes to run in the background, hidden from the user’s direct view, and persist even after the user logs out.
Application Swapping and Seed Phrase Exfiltration
The most alarming capability of Nova Stealer lies in its ability to swap out legitimate cryptocurrency wallet applications with malicious imposters. A specific malware component, mdriversswaps.sh, probes the system for the presence of Ledger Live or Trezor Suite within the /Applications/ directory. Upon detection, the malware proceeds to aggressively remove the original applications using the rm -rf command. It also purges the Launchpad database entries associated with these applications to prevent their reappearance.
Following the removal of genuine applications, Nova Stealer downloads fake replacements from compromised domains. For instance, a fake Ledger Live application is reportedly downloaded from hxxps://wheelchairmoments[.]com, while a fraudulent Trezor Suite is obtained from hxxps://sunrisefootball[.]com. These malicious applications, packaged as ZIP archives, are saved to ~/Library/LaunchAgents/ and then extracted to overwrite the original installations. The malware further manipulates the system’s Dock to remove the legitimate application icon and replace it with a pointer to the fake version, all managed through commands like /usr/libexec/PlistBuddy.
The fake wallet applications are designed to mimic their legitimate counterparts convincingly. They employ Swift and WebKit technologies to render deceptive phishing pages that prompt users to enter their cryptocurrency seed phrases. To enhance the believability of these phishing interfaces, the malicious JavaScript within these fake applications includes validation against standard BIP-39 and SLIP-39 word lists, offering auto-complete suggestions as the user types.
Victims who fall for this ploy will find their recovery words transmitted to attacker-controlled endpoints, specifically /seed and /seed2. This theft is executed with a subtle delay between each keystroke, enabling the attackers to capture partial seed phrases in real-time rather than waiting for the complete submission. This method significantly increases the chances of successfully exfiltrating sensitive recovery information.
Beyond seed phrase theft, Nova Stealer actively searches for and exfiltrates existing wallet files. The mdriversfiles.sh module is tasked with locating and stealing various wallet-related data, including Trezor IndexedDB logs, Exodus configuration files such as passphrase.json and seed.seco, and Ledger’s app.json. These stolen files are systematically uploaded to the command-and-control server every 20 hours through binary POST requests. Meanwhile, another module, mdriversmetrics.sh, gathers comprehensive system information, such as installed applications, running processes, and Dock configurations. This intelligence helps attackers profile their victims, refine their attack strategies, and potentially identify further vulnerabilities for exploitation.
The ongoing evolution of malware like Nova Stealer underscores the persistent and adaptive nature of cyber threats targeting the cryptocurrency ecosystem. Users are strongly advised to maintain vigilance, ensure their software is up-to-date from official sources, and practice robust security hygiene to protect their digital assets from such sophisticated attacks.