Russian cyber research companies post alerts about infostealer, industrial threats

Russian cybersecurity companies released multiple research reports about specific threats over the last week, including one about a “large-scale” information-stealing campaign targeting local organizations with Nova malware.

According to a report released late last week by Moscow-based cybersecurity firm BI.ZONE, Nova is a commercial stealer sold on dark web marketplaces by unknown cybercriminals as a service. The malware’s pricing starts at $50 for a monthly license and goes up to $630 for a lifetime license.

Nova is a fork of SnakeLogger, another popular stealer and one of the most common malware variants among cybercriminals, according to previous reports. 

The BI.ZONE report arrives as Russian entities have been the target of several hacking campaigns in recent months, many believed to be politically motivated and orchestrated by state-sponsored hackers. The ongoing war in Ukraine and sweeping sanctions against Moscow have led most Western cybersecurity companies to withdraw from the Russian market, leaving significant gaps in visibility into the country’s cyberthreat landscape.

As a result, reports of attacks on Russian organizations primarily originate from local tech firms, often lacking the independent verification and detailed analysis typically provided by international cybersecurity researchers.

Over the weekend, researchers at Russian cybersecurity firm F.A.C.C.T. warned of a new cyberespionage campaign targeting local chemical, food, and pharmaceutical enterprises. They attributed these attacks to a state-backed hacker group tracked as Rezet, or Rare Wolf, which has carried out approximately 500 cyberattacks on Russian, Belarusian and Ukrainian organizations since 2018.

Another attack on Russian industrial facilities was reported a few days earlier by local cybersecurity firm Solar. Hackers from a newly identified state-sponsored group, tracked as APT NGC4020, reportedly exploited a vulnerability in a remote control and desktop-sharing tool developed by the U.S. company SolarWinds.

Major Russian organizations hacked in recent months include the telecommunications provider Rostelecom, Russia’s main electronic trading platform Roseltorg, and Rosreestr, the government agency responsible for managing property and land records.

Data-hungry Nova 

BI.ZONE said that like SnakeLogger, the Nova malware collects victims’ saved authentication data, records keystrokes, takes screenshots and extracts data from the clipboard. The data obtained in these attacks can be used for various malicious purposes, including targeted ransomware attacks, Russian researchers said.

To gain initial access to victims’ devices, the hackers send phishing emails with malicious files disguised as zipped archives containing contracts.

According to the report, the hackers use popular file names for malware archives and specifically target employees in organizations that handle large volumes of emails, increasing the likelihood of a successful attack.

The developers behind the tool have not been identified, but researchers noted that the malware code contains strings in Polish. A Telegram group dedicated to promoting, selling, and providing technical support for the stealer was created in August 2024.

It remains unclear how many victims in Russia have been affected with Nova malware or what the attackers’ ultimate goal is.