Cova and Nosu: a new loader spreads a new stealer

Summary

BitSight has discovered two previously undocumented malware families named Cova and Nosu. They have different purposes and capabilities, although we found some similarities during our research:

  • Cova is a tiny loader with capabilities to update itself, download and execute files, and load DLLs.
  • Nosu is a stealer capable of gathering credentials, cookies, crypto wallets, and files.
  • The threat actor is using Cova to distribute both SystemBC proxy bot and Nosu stealer.
  • The server where the Cova web panel is installed is also hosting a SystemBC panel. 
  • Given the similarity between Cova and Nosu web panels, it is very likely that these two malware families are developed by the same individual(s).

Cova overview

During our research efforts to track the usage of the SystemBC proxy bot, we came across a command and control (C2) server that was hosting a web panel in the root of the http server with "Cova" as the title. From there it didn't take us too long to find a sample with a PDB string that matched the title of the web panel:

Cova and Nosu fig 1

Figure 1 - PDB string (h/t PE-Bear)

PDB's store symbols. When executables refer to PDB files it means they were compiled in debug mode. This usually gives hints about the internal names of the projects and other interesting details.

After reverse engineering the sample, we concluded that this malware was in fact a loader that waits for instructions to download additional malware into the infected system. Loaders are a type of malware whose sole purpose is to download and run other malware onto infected systems. The process of successfully infecting systems with another malware is often referred to as “loads” and a loader's success is often measured by the number of loads it can provide as well as the quality of the infections.

To get further instructions, Cova sends a request to the C2 server every 15 minutes using a HTTP GET request to the following endpoint http://<c2 ip>/client.php?p=<encoded data>.
To build the data that goes into the p query parameter, the loader generates a bot ID based on the value that is stored in the registry key Software\Microsoft\Cryptography under MachineGuid:

Cova and Nosu fig 2

Figure 2 - Bot ID generation

Next, it collects the hostname and the username and builds a unicode string with the following format: <computer name>||<username>||0||<random number computed with RtlRandomEx>||<bot ID>

As the final step, the loader builds a string with the hex values of the previous unicode string containing the data. For example, the string MYPC||user1||0||1749582054||11510924602506494874 is converted into 4D005900500043007C007C00750073006500720031007C007C0030007C007C003100370034
0039003500380032003000350034007C007C003100310035003100300039003200340036003
0003200350030003600340039003400380037003400.

The C2 server response is always 648 bytes long and it contains an instruction for the bot. The structure below shows the format of the C2 response:

Cova and Nosu fig 3

Figure 3 - C2 response structure

Example of a parsed response:

Cova and Nosu fig 4

Figure 4 - Parsed C2 response

Currently, the loader supports the following commands:

ID Name Description
100 Idle Do nothing
200 Update Download and execute an update
300 Download and Execute Download executable file, drop to disk, and execute
400 Parsed Dll Download and launch Dll (in memory)

The URLs from command ID 400 (Parsed Dll) retrieve a custom encoded DLL with some bootstrap code in it. The function below is responsible for parsing, decoding, and launching the bootstrap code that will load and execute the DLL in memory:

Cova and Nosu fig 5

Figure 5 - Encoded DLL parser

We didn't have to figure out the encoding in detail given that the easiest solution was to build a simple C loader that would take an encoded file as input and perform the same exact operations as the previous decoder function (Figure 5). From there it was easy to dump the decoded DLLs from memory with a tool like PE-sieve.

Cova web panel

The web panel is very simple and allows the botnet operator to view all the bots, define tasks, and search/filter for specific bots.

Cova and Nosu fig 6

Figure 6 - Cova login and panel

 

Cova and Nosu fig 7

Figure 7 - Cova panel task creation

 

Cova and Nosu fig 8

Figure 8 - Cova panel search

Cova infections

Since we started tracking this loader, we observed over 3700 infected systems pretty much worldwide but with much more impact in North and South American countries. The top 10 most affected countries are (in order) the United States, Brazil, Indonesia, Vietnam, Philippines, Colombia, Mexico, Thailand, Argentina, and Chile.

Cova and Nosu fig 9

Figure 9 - Geographic distribution of victims

Cova loads Nosu

During our research, we observed that the botnet operator has been using Cova to infect systems with SystemBC proxy bot and a new malware named Nosu stealer. Nosu is capable of stealing credentials from various types of applications, browser cookies, crypto wallets, and stealing files from the infected systems. We also found that Nosu web panel is very similar to Cova panel suggesting that this might be work done by the same developer:

Cova and Nosu fig 10

Figure 10 - Nosu stealer login and panel

Conclusion

While tracking the current usage of the SystemBC proxy bot, BitSight has discovered two previously undocumented malware families being used in the wild. Cova is a tiny and simple loader but it seems capable of doing its job. On the other hand Nosu seems to be just another stealer capable of providing the threat actor(s) with tons of information that can be monetized.
We could see the similarities between the web panels of these two families and it seems very likely that they are developed by the same individual(s). We'll keep an eye on these families and see how they evolve.

If you got curious about the SystemBC proxy bot have a look at our blog post where we explain how it works: https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes

IOCs

C2 servers:

80.66.77[.]6 - Cova & SystemBC C2 server
80.66.77[.]54 - Cova & SystemBC C2 server
80.66.77[.]63 - Cova & SystemBC C2 server
80.66.77[.]95 - Cova & SystemBC C2 server
80.66.77[.]125 - Cova & SystemBC C2 server
80.66.77[.]33 - Nosu stealer C2 server

File hashes:

11ffd58d2707121ab5363d6c08560a50d3209bf60dd4b8eec066eb4241aa7bee - Cova (packed)
b0eaf0cc2f88701a216bb994a7bcbd43cb21ac11e295af9f99e6b56d6797ea01 - Cova (unpacked)
8d6ba779eb230cb2f0f2db98179d5342f0d9f2cd74c7537d736ecea156195292 - Cova (packed)
a1ae4a7440c7f2f0d03c6f2e05ff97b875e8295cf2b340b96fdda919af6c7eb5 - Cova (unpacked)
6499cadaea169c7dfe75b55f9c949659af49649a10c8b593a8db378692a11962 - Nosu stealer
b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074 - SystemBC (dropped by Cova)