Kematian-Stealer : A Deep Dive into a New Information Stealer – CYFIRMA

MITRE Techniques

• [T1566] Phishing – The loader was distributed via a RAR archive likely distributed through spam or phishing emails. Quote: “a RAR archive in the wild, likely distributed via spam or phishing emails.”
• [T1566.001] Spear phishing Attachment – The delivery route is described as phishing emails; related content supports attachment-based spear-phishing in this context. Quote: “a RAR archive in the wild, likely distributed via spam or phishing emails.”
• [T1059] User Execution – The batch script is designed to “execute a sequence of malicious actions to compromise Windows systems.” Quote: “The batch script to execute a sequence of malicious actions to compromise Windows systems.”
• [T1204.002] Malicious File – The loader creates and runs a batch/PowerShell chain (e.g., “powershell.ps1”) to perform tasks. Quote: “creating a PowerShell script to perform several tasks” and “The batch script starts by checking if it is running with administrative privileges…”
• [T1053] Scheduled Task/Job – The loader “creates a scheduled task for persistence” and to run at startup. Quote: “Creates a scheduled task named percs … startup with the highest privileges.”
• [T1027] Obfuscated Files or Information – The loader “contains an obfuscated batch script in the resource section.” Quote: “contains an obfuscated batch script in the resource section.”
• [T1564.001] Hidden Files and Directories – It “sets its attributes to hidden and system” to hinder discovery. Quote: “sets its attributes to hidden and system.”
• [T1082] System Information Discovery – The script “Gathers various pieces of system information, including the public IP address, system information, UUID, MAC address, username, hostname, and network connections.” Quote: “Gathers various pieces of system information, including the public IP address, system information, UUID, MAC address, username, hostname, and network connections.”
• [T1087] Account Discovery – The data collection includes user-related details such as username. Quote: “username” appears among gathered data.
• [T1083] File & Directory Discovery – It “creates a directory (percs) in the APPDATA folder, copies itself (powershell.ps1) to this new directory and renames it to percs.ps1.” Quote: “Creates a directory (percs) in the APPDATA folder, copies itself (powershell.ps1) to this new directory and renames it to percs.ps1.”
• [T1005] Data from Local System – It “constructs a detailed JSON payload with the collected information … and sends it to a Discord webhook.” Quote: “Constructs a detailed JSON payload with the collected information about the victim’s system … and sends it to a Discord webhook.”
• [T1113] Screen Capture – It “captures images using the webcam and screenshots of the user’s desktop.” Quote: “Captures images using the webcam and screenshots of the user’s desktop.”
• [T1105] Ingress Tool Transfer – It “downloads and executes additional scripts and payloads directly into memory.” Quote: “downloads and executes additional scripts and payloads directly into memory.”
• [T1041] Exfiltration Over C2 Channel – Exfiltration occurs via a Discord webhook. Quote: “sends it to a Discord webhook.”
• [T1048] Exfiltration Over Alternative Protocol – Exfiltration through Discord/webhook channels. Quote: “exfiltration process, sending sensitive data to the attacker’s Discord server” and related webhook references.
• [T1485] Data Destruction – Clearing traces by deleting temporary files and the PowerShell script. Quote: “deletes temporary files and the executed PowerShell script to minimize evidence.”