Description

Nova Stealer is a macOS information stealer that abuses shell-based installers and malicious application replacement to harvest cryptocurrency credentials and sensitive user data. The malware relies heavily on social engineering and trusted application impersonation rather than kernel exploits or privilege escalation.

Symptoms

You might observe the following artifacts associated with this threat:

• Execution of shell scripts downloaded from remote infrastructure shortly after running an installer or application.

• Creation of hidden directories used to store stealer modules and configuration files.

• LaunchAgents added to ensure persistence across user logins.

• Replacement or modification of installed cryptocurrency wallet applications.

• Unexpected prompts requesting recovery phrases or wallet credentials.

• Background processes running without a visible parent application.

Technical Breakdown

Nova Stealer is a macOS-focused information stealer implemented primarily through shell scripting and auxiliary components rather than a single compiled binary. Initial infection typically occurs through a trojanized installer or application that executes a shell script responsible for staging the malware.

Once executed, the installer creates a hidden working directory within the user’s home directory. This directory contains the main orchestrator script and additional modules that are fetched dynamically from attacker-controlled infrastructure. The modular design allows functionality to be updated or replaced without redeploying the initial installer.  

Persistence is commonly achieved through user-level LaunchAgents that execute the orchestrator script at login. In observed samples, background execution may also occur through detached terminal or screen-based sessions to reduce visibility to the user.

A primary objective of Nova Stealer is the theft of cryptocurrency-related data. The malware enumerates installed wallet applications and, in some cases, removes legitimate versions and replaces them with modified clones. These cloned applications present interfaces that closely resemble legitimate wallets and prompt users to enter recovery phrases or sensitive authentication data. Captured input is transmitted to remote infrastructure controlled by the attacker.

Additional modules may attempt to locate wallet files, configuration data, or credentials stored locally on the device. Analysis shared by independent researchers indicates the malware favors simplicity and portability over advanced exploitation techniques, relying instead on social engineering and trusted application impersonation.

Next Steps

Iru Endpoint Detection & Response (EDR) can detect suspicious installer behavior, unauthorized LaunchAgent creation, and execution of untrusted shell scripts when file monitoring is set to Protect.

If Nova Stealer is suspected on a device, remove any unknown LaunchAgents and inspect hidden directories created within the user profile. Review installed applications for unauthorized replacements, particularly cryptocurrency wallet software.

All wallet credentials and recovery phrases exposed on the affected device should be considered compromised and rotated immediately. Review recent transaction activity for unauthorized behavior.

In the future, only install macOS applications from verified sources and avoid executing installer scripts obtained through private messages, forums, or file-sharing platforms. Legitimate wallet applications will not request recovery phrases during routine operation.