Rewterz Threat Alert – StormKitty Stealer: A Threatening Information-Stealing Malware – Active IOCs

Severity

High

Analysis Summary

StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable information. The stolen data is often used for various malicious purposes, including identity theft, financial fraud, and unauthorized access.

StormKitty Stealer possesses several key characteristics and functionalities:

• The primary objective of StormKitty Stealer is to exfiltrate sensitive data from compromised systems. It can target a wide range of applications, including web browsers, email clients, FTP programs, cryptocurrency wallets, and more. The malware collects stored credentials, browser cookies, autofill data, and other personal information.
• StormKitty Stealer establishes communication with remote command and control servers controlled by the attackers. This allows them to receive instructions, update the malware, and exfiltrate stolen data securely.
• To ensure its longevity on infected systems, StormKitty Stealer employs various persistence mechanisms. These may include creating registry entries, adding startup entries, or utilizing scheduled tasks to ensure the malware remains active and can survive system reboots.
• StormKitty Stealer incorporates anti-analysis techniques to evade detection by security software. This includes obfuscating code, employing packers or encryptors, and detecting the presence of virtual machines or sandboxes. The malware can be distributed as an email attachment disguised as a legitimate file, such as a PDF, Word document, or an archived file. 

Impact

• Data Exfiltration
• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 1e3185eddfd7dabc8746a35ced59f6d1
• a7d8b5319a545b81637c4c52e9a2a289
• 852266022ac0283a02051764f34af1ef
• ce21d87f567ceca173a92c5a1b3ba148

SHA-256

• 24c43375fb726dbf16803dd6289d64984d9de0ed10f6bcc84e3f67b8a52c6904
• 64cfb742accf0ccd0d20225f5c16688dda0aa93aa005157f02f0249bf3fe298e
• 45e9234add22c91058024b82e30c0b63571122e9c107b6e1d760c3cfaa4d7cbd
• 9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1

SHA-1

• 3057f2bf376b2cf765b0680b594e4e8417f4bcd8
• c7cc54bb2647de0130d1484eba4e7bd09f083f75
• fa2162497768899c03b844a4c6aa623b50e610fd
• 18d4d80d666d92644268f80e9eaa7946f399d44d

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets