Katz Stealer Boosts Credential Theft with System Fingerprinting and Persistence Mechanisms
The emergence of Katz Stealer, a sophisticated information-stealing malware-as-a-service (MaaS) that is redefining the boundaries of credential theft.
First detected this year, Katz Stealer combines aggressive data exfiltration with advanced system fingerprinting, stealthy persistence mechanisms, and evasive loader tactics.
Distributed primarily through phishing emails and fake software downloads, this malware targets a vast array of sensitive information, from browser credentials and cryptocurrency wallet data to session tokens from platforms like Discord and Telegram.
Its ability to operate in-memory and deploy modular payloads ensures maximum stealth, making it a formidable challenge for security teams worldwide.
A New Threat in the Malware Landscape
Katz Stealer’s infection chain is a masterclass in evasion, unfolding across multiple meticulously crafted stages designed to bypass traditional security measures.
The attack often begins with a malicious GZIP archive containing an obfuscated JavaScript dropper, which leverages deceptive coding techniques like type coercion and polymorphic concatenation to obscure its intent.
Once executed, the script invokes PowerShell with hidden parameters to download a seemingly innocuous image file from platforms like Archive.org, only to extract a base64-encoded payload hidden within using steganography.
According to Picus Security Report, this payload, a .NET loader, performs geofencing and sandbox checks targeting locales and flagging virtualized environments before exploiting a UAC bypass via cmstp.exe to gain elevated privileges.
Multi-Stage Infection Chain
The final stealer component is injected into legitimate processes like MSBuild.exe through process hollowing, ensuring it operates under the radar while establishing persistent command-and-control (C2) communication with servers like 185.107.74[.]40.
Beyond browsers, Katz Stealer innovates by injecting malicious code into Discord’s JavaScript bundle, turning the trusted app into a backdoor that fetches attacker commands on startup, further cementing its foothold through auto-launch behavior.
What sets Katz Stealer apart is its meticulous focus on data theft and persistence.
It targets over 78 browser variants, decrypting credentials in Chromium-based browsers by accessing encrypted master keys in “Local State” files and extracting session cookies from Firefox’s profile directories.
Its reach extends to cryptocurrency wallets, scanning for desktop apps like Exodus and browser extensions like MetaMask, staging data for immediate exfiltration via TCP or HTTPS channels with a distinctive “katz-ontop” User-Agent marker.
Post-theft, it cleans up temporary files to hinder forensics, while its MaaS model complete with a user-friendly web panel empowers even low-skilled threat actors to customize builds and export stolen data effortlessly.
This convergence of technical sophistication and accessibility underscores why Katz Stealer is a critical threat, demanding robust detection strategies and continuous security validation to counter its multifaceted attack vectors.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| C2 Servers | 185.107.74[.]40, 31.177.109[.]39, twist2katz[.]com, pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev |
| Related Domains | katz-stealer[.]com, katzstealer[.]com |
| Suspicious User-Agent | Mozilla/5.0 … Safari/537.36 katz-ontop |
| File Artifacts | katz_ontop.dll, received_dll.dll (Temp), decrypted_chrome_key.txt (AppData) |
| File Hashes (SHA256) | Initial GZIP: 22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb, JS Stage: e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
