Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScript, PowerShell scripts, and .NET payloads. Key features include browser credential theft, crypto wallet exfiltration, and Discord process hijacking. The malware also gathers system information, captures screenshots, and monitors clipboards. Detection opportunities include network traffic analysis, file system monitoring, and process behavior analysis. The analysis provides YARA and Sigma rules for detection, along with a comprehensive list of IOCs. Author: AlienVault
Related Tags:
discord-hijacking
browser-targeting
credential-stealer
uac-bypass
process-hollowing
Katz Stealer
T1218.003
T1102.002
T1001.003
Associated Indicators:
15953E0191EDAA246045DDA0D7489B3832F27FDC3FCC5027F26B89692AEFD6E1
FDC86A5B3D7DF37A72C3272836F743747C47BFBC538F05AF9ECF78547FA2E789
E4249CF9557799E8123E0B21B6A4BE5AB8B67D56DC5BFAD34A1D4E76F7FD2B19
E1A0D6929662BCBC9E5E0827CB8B6D7818088E996CF971D2A4A1C1CA4208E533
2852770F459C0C6A0ECFC450B29201BD348A55FB3A7A5ECDCC9986127FDB786B
C601721933D11254AE329B05882337DB1069F81E4D04CD4550C4B4B4FE35F9CD
925E6375DEAA38D978E00A73F9353A9D0DF81F023AB85CF9A1DC046E403830A8
6DC8E99DA68B703E86FA90A8794ADD87614F254F804A8D5D65927E0676107A9D
5A984E2E308FE84E4E2071DD877772361719BA0217C2C23DA79DBB82DC15EAC8