Kematian Stealer Abuses Powershell Tool for Covert Data Exfiltration

The Kematian Stealer has emerged as a sophisticated PowerShell-based malware that covertly exfiltrates sensitive data from compromised systems.

This article delves into the intricate workings of this malicious tool, highlighting its methods and the potential risks it poses.

EHA

Binary Analysis

The Kematian Stealer begins its operation with a 64-bit portable executable loader file, written in C++.

This loader contains an obfuscated script within its resource section, designed to evade detection and analysis.

Upon execution, the malware extracts a blob identified as “112E9CAC33494A35D3547F4B3DCD2FD5” from the resource section, as per a report by K7 Labs.

This blob is then decrypted, revealing a batch file that initiates the next phase of the attack.

Resource Blob
Resource Blob

The decryption process, likely utilizing the RC4 algorithm, is a critical step in the malware’s execution flow.

Decryption_Loop
Decryption_Loop

Once decrypted, the batch file runs with elevated privileges, ensuring the subsequent PowerShell script can operate without hindrance.

This script checks for administrative rights and prompts the user, if necessary, before establishing persistence via the Windows Task Scheduler.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Persistence and Data Collection

The Kematian Stealer’s persistence mechanism involves creating a copy of the PowerShell script in the %Appdata% folder, named percs.ps1.

This script is then scheduled to run regularly, ensuring the malware’s continued presence on the infected system.

Task Creation
Task Creation

The core of the data exfiltration process lies in the grub function. This function collects a wealth of system information from the public IP address obtained through a web request to “https://api.ipify.org.”

The IP address is stored in a text file named “ip.txt” within the user’s local application data directory.

Next, the malware gathers detailed system information using the Windows command-line tool Systeminfo.exe.

This includes OS version, hostname, system model, and more, all saved in “system_info.txt”.

Additionally, the malware extracts the system’s UUID and MAC addresses using Windows Management Instrumentation (WMI) and stores these details in “uuid.txt” and “mac.txt,” respectively.

Network and User Information

The Kematian Stealer extends its data collection to network statistics by executing NETSTAT.exe, retrieving active connections and listening ports and associated process IDs.

This information is crucial for understanding the network environment of the compromised system.

Netstat Stealer
Netstat Stealer

System environment variables also gather user and host information, providing the attacker with insights into the system’s user profile.

The collected data is meticulously formatted and sent to a Discord channel via a webhook, ensuring the attacker receives a comprehensive report of the victim’s system.

Data Exfiltration and Evasion

The final stage of the Kematian Stealer’s operation involves exfiltrating the collected data.

The malware compresses all the text files into a zip archive and uses Curl.exe to transfer the data and a JSON payload to a specified Discord channel.

This method leverages Discord’s infrastructure for covert communication, making detection and interception more challenging.

Data Compressing
Data Compressing

To evade detection, the malware checks for the presence of security tools like Discord Token Protector and removes them if found.

It also attempts to download additional payloads from the Kematian Stealer GitHub page, although some URLs redirect to outdated versions.

The Kematian Stealer exemplifies the increasing sophistication of modern malware.

With features like a GUI builder, antivirus evasion, and capabilities to extract WiFi passwords, webcams, desktop screenshots, and session data from various clients, it poses a significant threat to individual users and organizations.

The Kematian Stealer’s abuse of PowerShell for covert data exfiltration underscores the need for continuous advancements in cybersecurity measures.

By understanding the tactics and techniques employed by such malware, we can better prepare and protect ourselves in the digital age.

IoCs

File nameHashDetection name
Loader02F3B7596CFF59B0A04FD2B0676BC395 Trojan-Downloader ( 005a4e961 )
584A.batD2EA85153D712CCE3EA2ABD1A593A028 Trojan-Downloader ( 005a4e921 )
PowerShell.ps1A3619B0A3EE7B7138CEFB9F7E896F168 Trojan ( 0001140e1 )
Main.exeE06F672815B89458C03D297DB99E9F6B Trojan ( 005ae5411 )
Injection.js1CBBFBC69BD8FA712B037EBE37E87709 Trojan ( 00597b5e1 )

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.