Rewterz Threat Alert – StormKitty Stealer: A Threatening Information-Stealing Malware – Active IOCs

Severity

High

Analysis Summary

StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable information. The stolen data is often used for various malicious purposes, including identity theft, financial fraud, and unauthorized access.

StormKitty Stealer possesses several key characteristics and functionalities:

• The primary objective of StormKitty Stealer is to exfiltrate sensitive data from compromised systems. It can target a wide range of applications, including web browsers, email clients, FTP programs, cryptocurrency wallets, and more. The malware collects stored credentials, browser cookies, autofill data, and other personal information.
• StormKitty Stealer establishes communication with remote command and control servers controlled by the attackers. This allows them to receive instructions, update the malware, and exfiltrate stolen data securely.
• To ensure its longevity on infected systems, StormKitty Stealer employs various persistence mechanisms. These may include creating registry entries, adding startup entries, or utilizing scheduled tasks to ensure the malware remains active and can survive system reboots.
• StormKitty Stealer incorporates anti-analysis techniques to evade detection by security software. This includes obfuscating code, employing packers or encryptors, and detecting the presence of virtual machines or sandboxes. The malware can be distributed as an email attachment disguised as a legitimate file, such as a PDF, Word document, or an archived file. 

Impact

• Data Exfiltration
• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 84f321203e4bfe709180e7eea42823a1
• 9ad0efae7e1129c431abe4c4e350e909
• 4ad372e2eadd9de51da7cd1e42e44a43
• 1134c4fc601715848430812799d0f966

SHA-256

• 2abd2490ab6bfc2a7fdf5359dd94cfa43b2059e25ab5389d1f9426b2473d175f
• 46f55b943f779bea929ccef23b67894e4ac1317e99b4d3a0839b9d95f1d7e912
• d0bd9a949008bd7b53aaf93d628840d3f838f2c2e5dcd44646e7cf90e2da17d3
• 0c69a4aceb2d7addb911bb4d1991e01d0f8ced3f40133f99422e1fe924be39fa

SHA-1

• 1e0b0d84cfb15b4ac8e0dbb688b718f13fe4ca0c
• ab51cae19dba0c096eb16fc377a27e010b36d1bc
• bbfdfaac84bf51a844a3d48a5995ed5e1e35b4bd
• 349cb575f63e0880d0eca933bd7e0b602d9a6e03

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Check for any unauthorized transactions or activities on your financial accounts and report any suspicious activities to the respective authorities.
• Ensure that your operating system and all applications are up to date with the latest security patches and updates to prevent vulnerabilities that can be exploited by malware.
• Implement two-factor authentication for your online accounts to provide an additional layer of security.
• Avoid downloading and installing pirated software, as these sites are often a source of malware infections.
• Educate yourself and your employees on safe computing practices, such as being cautious when opening emails and downloading attachments, to prevent future infections.