The Kematian Stealer has emerged as a sophisticated PowerShell-based malware that covertly exfiltrates sensitive data from compromised systems.
This article delves into the intricate workings of this malicious tool, highlighting its methods and the potential risks it poses.
Binary Analysis
The Kematian Stealer begins its operation with a 64-bit portable executable loader file, written in C++.
This loader contains an obfuscated script within its resource section, designed to evade detection and analysis.
Upon execution, the malware extracts a blob identified as “112E9CAC33494A35D3547F4B3DCD2FD5” from the resource section, as per a report by K7 Labs.
This blob is then decrypted, revealing a batch file that initiates the next phase of the attack.
The decryption process, likely utilizing the RC4 algorithm, is a critical step in the malware’s execution flow.
Once decrypted, the batch file runs with elevated privileges, ensuring the subsequent PowerShell script can operate without hindrance.
This script checks for administrative rights and prompts the user, if necessary, before establishing persistence via the Windows Task Scheduler.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Persistence and Data Collection
The Kematian Stealer’s persistence mechanism involves creating a copy of the PowerShell script in the %Appdata% folder, named percs.ps1.
This script is then scheduled to run regularly, ensuring the malware’s continued presence on the infected system.
The core of the data exfiltration process lies in the grub function. This function collects a wealth of system information from the public IP address obtained through a web request to “https://api.ipify.org.”
The IP address is stored in a text file named “ip.txt” within the user’s local application data directory.
Next, the malware gathers detailed system information using the Windows command-line tool Systeminfo.exe.
This includes OS version, hostname, system model, and more, all saved in “system_info.txt”.
Additionally, the malware extracts the system’s UUID and MAC addresses using Windows Management Instrumentation (WMI) and stores these details in “uuid.txt” and “mac.txt,” respectively.
Network and User Information
The Kematian Stealer extends its data collection to network statistics by executing NETSTAT.exe, retrieving active connections and listening ports and associated process IDs.
This information is crucial for understanding the network environment of the compromised system.
System environment variables also gather user and host information, providing the attacker with insights into the system’s user profile.
The collected data is meticulously formatted and sent to a Discord channel via a webhook, ensuring the attacker receives a comprehensive report of the victim’s system.
Data Exfiltration and Evasion
The final stage of the Kematian Stealer’s operation involves exfiltrating the collected data.
The malware compresses all the text files into a zip archive and uses Curl.exe to transfer the data and a JSON payload to a specified Discord channel.
This method leverages Discord’s infrastructure for covert communication, making detection and interception more challenging.
To evade detection, the malware checks for the presence of security tools like Discord Token Protector and removes them if found.
It also attempts to download additional payloads from the Kematian Stealer GitHub page, although some URLs redirect to outdated versions.
The Kematian Stealer exemplifies the increasing sophistication of modern malware.
With features like a GUI builder, antivirus evasion, and capabilities to extract WiFi passwords, webcams, desktop screenshots, and session data from various clients, it poses a significant threat to individual users and organizations.
The Kematian Stealer’s abuse of PowerShell for covert data exfiltration underscores the need for continuous advancements in cybersecurity measures.
By understanding the tactics and techniques employed by such malware, we can better prepare and protect ourselves in the digital age.
IoCs
File name | Hash | Detection name |
Loader | 02F3B7596CFF59B0A04FD2B0676BC395 | Trojan-Downloader ( 005a4e961 ) |
584A.bat | D2EA85153D712CCE3EA2ABD1A593A028 | Trojan-Downloader ( 005a4e921 ) |
PowerShell.ps1 | A3619B0A3EE7B7138CEFB9F7E896F168 | Trojan ( 0001140e1 ) |
Main.exe | E06F672815B89458C03D297DB99E9F6B | Trojan ( 005ae5411 ) |
Injection.js | 1CBBFBC69BD8FA712B037EBE37E87709 | Trojan ( 00597b5e1 ) |
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files