Rewterz Threat Alert –Tofsee Malware – Active IOCs
June 2, 2023Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs
June 2, 2023Rewterz Threat Alert –Tofsee Malware – Active IOCs
June 2, 2023Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs
June 2, 2023Severity
High
Analysis Summary
StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable information. The stolen data is often used for various malicious purposes, including identity theft, financial fraud, and unauthorized access.
StormKitty Stealer possesses several key characteristics and functionalities:
- The primary objective of StormKitty Stealer is to exfiltrate sensitive data from compromised systems. It can target a wide range of applications, including web browsers, email clients, FTP programs, cryptocurrency wallets, and more. The malware collects stored credentials, browser cookies, autofill data, and other personal information.
- StormKitty Stealer establishes communication with remote command and control servers controlled by the attackers. This allows them to receive instructions, update the malware, and exfiltrate stolen data securely.
- To ensure its longevity on infected systems, StormKitty Stealer employs various persistence mechanisms. These may include creating registry entries, adding startup entries, or utilizing scheduled tasks to ensure the malware remains active and can survive system reboots.
- StormKitty Stealer incorporates anti-analysis techniques to evade detection by security software. This includes obfuscating code, employing packers or encryptors, and detecting the presence of virtual machines or sandboxes. The malware can be distributed as an email attachment disguised as a legitimate file, such as a PDF, Word document, or an archived file.
Impact
- Data Exfiltration
- Credential Theft
- Information Theft
- Financial Loss
Indicators of Compromise
MD5
- 8a728a201ff4eebc956d8747c0b689e8
- e067420d4846f5ec6295db05b2a0a981
- 732cf8e4705bae9c302edb49b8966698
SHA-256
- 0807202daf2095810fdbc78ccf60ed83368e84da1f89d7215f9bac6590b40b7d
- 1f53cffa281a18eec6149e2fc33e25cb597281c536825156696a5fb6f48b59a1
- aa8af7d536784e3cf37f4a5011112d9ad3eb8d91c5b786ad6ad0ca9a1cdb173f
SHA-1
- 94fe365f40c34e83e39a4c81c7cf9319d7cfa6cc
- 9dc078c6e827d602d5d75c079442183693ab4e16
- 5a915f628f4e92f65a2796c84dc93fabf27d8cf0
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets