Katz Stealer Targets Chrome, Edge, Brave, and Firefox to Steal Login Credentials

Katz Stealer has emerged as a potent credential-stealing malware-as-a-service, targeting popular web browsers such as Chrome, Edge, Brave, and Firefox.

This multi-feature stealer conducts extensive system reconnaissance and data theft by extracting saved passwords, cookies, and session tokens from these browsers.

Beyond browsers, it also compromises cryptocurrency wallets, communication platforms like Discord and Telegram, email clients such as Outlook, and even gaming platforms like Steam.

Its infection chain is notably intricate, leveraging everyday online activities like phishing emails, fake software downloads, and malicious ads to infiltrate systems, making it a pervasive threat to both individuals and organizations.

A Sophisticated Malware-as-a-Service Threat

Katz Stealer’s infection process begins with the delivery of malicious JavaScript hidden within gzip files.

Once executed, this script triggers the download of an obfuscated, base64-encoded PowerShell script, which in turn retrieves a .NET-based loader payload.

According to the Nextron Systems Report, this loader injects the stealer into legitimate processes like MSBuild using process hollowing, a technique that allows it to operate covertly.

The malware employs advanced evasion mechanisms, including geofencing to avoid execution in Commonwealth of Independent States (CIS) countries, virtual machine detection through BIOS queries and system uptime checks, and sandbox evasion by analyzing screen resolution.

Additionally, it abuses trusted Windows utilities like cmstp.exe for User Account Control (UAC) bypass, enabling elevated privileges without alerting users.

Technical Breakdown of Katz Stealer’s Infection

Once active, Katz Stealer establishes a persistent TCP connection to its command and control (C2) server, downloading further payloads and injecting them into browser processes via CreateRemoteThread API to harvest sensitive data.

A particularly alarming capability is its ability to bypass Chrome’s app-bound encryption by extracting decryption keys from Local State files, saving them as plaintext in the victim’s AppData folder for exfiltration.

The malware’s reach extends to Firefox through targeting profile files like cookies.sqlite and logins.json, while it hijacks Discord by injecting malicious code into the app.asar file for remote code execution.

Its cryptocurrency exfiltration targets a wide array of wallets including Exodus and Bitcoin Core, copying private keys and seed phrases to temporary directories before uploading them to attacker-controlled servers.

Additional data theft includes WiFi credentials via netsh commands, VPN configurations, and Ngrok tokens, alongside surveillance features like screen capture and clipboard monitoring.

Despite its sophisticated evasion, detection opportunities exist through network traffic analysis for suspicious User-Agent strings like “katz-ontop,” monitoring unusual process behaviors involving cmstp.exe or headless browser execution, and identifying temporary files like “received_dll.dll” in system directories.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!