Kematian Stealer (Infostealer) – Malware

Overview

In an increasingly interconnected digital landscape, malware continues to evolve in sophistication and stealth, posing significant threats to users and organizations alike. Among these nefarious tools is Kematian Stealer, a PowerShell-based malware designed specifically to exfiltrate sensitive information from infected systems. This stealthy token-grabber exploits vulnerabilities and utilizes various techniques to infiltrate systems, making it a formidable threat for both individual users and enterprises.

Kematian Stealer operates by employing advanced obfuscation methods to conceal its true intentions, which primarily revolve around stealing sensitive data such as credentials, system information, and user tokens. Its architecture combines a loader written in C++ with a series of malicious scripts that execute once the malware is activated. This design allows it to function effectively while evading detection by standard security measures.

One of the hallmark features of Kematian Stealer is its ability to establish persistence on infected devices. By utilizing the Windows Task Scheduler, it ensures that the malicious scripts run automatically, even after a system reboot. This capability significantly increases the window of opportunity for attackers to harvest data without raising alarms. Additionally, the malware’s focus on obtaining system configuration and network environment information makes it an invaluable tool for threat actors conducting reconnaissance prior to launching more targeted attacks.

As cyber threats like Kematian Stealer become more prevalent, understanding their operation and identifying their indicators of compromise (IoCs) is crucial. Organizations and individuals must remain vigilant and informed, as the consequences of a successful malware attack can be devastating, leading to financial losses, data breaches, and compromised privacy. With the right knowledge and protective measures, users can fortify their defenses against this and other emerging cyber threats.

Targets

Individuals

How they operate

At its core, Kematian Stealer begins with a loader executable, typically a 64-bit portable executable (PE) file written in C++. This loader is responsible for extracting a heavily obfuscated script embedded in its resource section. The obfuscation makes the script difficult to read, allowing the malware to evade initial detection by security software. Once the loader is executed, it decrypts a specific resource blob, which is a batch file, using an RC4-like algorithm. The decrypted batch file is then executed with elevated privileges to ensure the malware has the necessary permissions to perform its malicious activities.

Upon execution, Kematian Stealer checks whether it is running with administrative privileges. If it detects insufficient privileges, it prompts the user to rerun the script with elevated rights. This step is crucial, as many of the malware’s functionalities require higher-level access to the system. Once it has the required permissions, the malware creates a persistence mechanism through the Windows Task Scheduler. It copies the PowerShell script to the %AppData% folder, renaming it to percs.ps1, and ensures that it does not create duplicate tasks that could alert users or lead to conflicts.

The next stage of Kematian Stealer’s operation focuses on data collection. The malware implements a function known as “Grub,” which collects critical information about the infected system. It starts by querying the public IP address through a web request to https://api.ipify.org, storing the result in a text file. It then gathers detailed system information using the Systeminfo.exe command, including the operating system version, host name, and system model. This information is redirected to another text file, system_info.txt, in the user’s local application data directory.

Following the collection of system information, Kematian Stealer extracts the UUID and MAC addresses using Windows Management Instrumentation (WMI) queries. This data is stored in separate text files, facilitating further reconnaissance by the threat actor. Additionally, the malware retrieves the current username and hostname via system environment variables. It even collects network statistics by executing NETSTAT.exe, allowing it to capture active connections and listening ports along with their associated Process IDs.

After compiling the stolen data, Kematian Stealer crafts a structured message containing all the collected information. This message is sent to a specified Discord channel through a webhook, leveraging Discord’s infrastructure to facilitate exfiltration. This technique not only ensures that the data reaches the attacker but also obscures the transmission path, making it harder for security solutions to detect the exfiltration activity. Moreover, Kematian Stealer attempts to disable any protective measures in place, such as Discord Token Protectors, to maximize its chances of success.

MITRE Tactics and Techniques

Initial Access (TA0001): The malware gains access to the target system, typically through phishing or malicious downloads.

Execution (TA0002): Kematian Stealer executes its payload by running scripts, including PowerShell scripts and batch files.

Persistence (TA0003): The malware establishes persistence through techniques like creating scheduled tasks to ensure it runs automatically after reboots.

Privilege Escalation (TA0004): It may attempt to gain elevated privileges to access restricted system areas or data.

Credential Access (TA0006): The primary purpose of Kematian Stealer is to harvest credentials, tokens, and sensitive information from the infected system.

Collection (TA0009): The malware collects system information, including public IP addresses, UUIDs, MAC addresses, and other data to facilitate further attacks.

Exfiltration (TA0010): Kematian Stealer sends the collected data to the attacker, often using webhooks or other external communication methods.

Impact (TA0040): The malware can have a damaging effect on the targeted system and user data, leading to further exploitation or identity theft.

References

• Kematian Stealer forked from PowerShell Token Grabber