The Kematian Stealer is a sophisticated piece of PowerShell-based malware designed to covertly exfiltrate sensitive data from compromised systems. It begins its attack with a C++ executable loader that contains an obfuscated script to avoid detection. Upon execution, this loader decrypts a batch file, which then runs a PowerShell script with elevated privileges to ensure the malware remains persistent on the infected system.
The persistence mechanism of Kematian Stealer involves placing a PowerShell script in the %Appdata% folder, named percs.ps1, and scheduling it to run regularly via the Windows Task Scheduler. The malware’s core function is to collect and exfiltrate a range of system information, including IP addresses, OS details, UUIDs, MAC addresses, and network statistics. This data is stored in various text files and sent to a Discord channel through a webhook.
To avoid detection, Kematian Stealer compresses the collected data into a zip archive and uses Curl.exe for data transfer, leveraging Discord’s infrastructure for covert communication. The malware also checks for and removes security tools that could interfere with its operations. Additionally, it attempts to download further payloads, though some URLs may redirect to outdated versions.
Kematian Stealer exemplifies modern malware’s sophistication by using PowerShell for stealthy data extraction and employing advanced evasion techniques. Its ability to bypass traditional security measures and exploit popular platforms like Discord highlights the need for continuous advancements in cybersecurity to counter such threats effectively.
