Ddos 
A newly analyzed variant of the Katz Stealer malware has been dissected by the Nextron Threat Research Team, revealing a sophisticated, multi-layered credential stealer operating as Malware-as-a-Service (MaaS). Designed to exfiltrate vast quantities of sensitive data across platforms, Katz Stealer showcases an alarming array of capabilities — from browser credential theft and cryptocurrency wallet targeting to Discord hijacking and advanced evasion tactics.
Katz Stealer is a feature-rich malware targeting a wide range of data sources. It collects:
- Saved passwords, cookies, and session tokens from Chrome, Firefox, Brave, and Edge.
- Cryptocurrency wallets and seed phrases by scanning files, extensions, and directories.
- Gaming credentials from Steam.
- Communications platforms like Discord, Telegram, Slack, and Microsoft Teams.
- Email data from Outlook, Windows Live Mail, and Foxmail.
- Network configuration details including WiFi credentials, VPN setups, FTP logins, and Ngrok tokens.
- Screenshots, clipboard content, and system profiling data.
“Katz Stealer is a multi-feature stealer that conducts broad system reconnaissance and data theft,” the analysis states.
Katz Stealer employs multiple anti-analysis and evasion methods to avoid detection:
- Geofencing to avoid execution in CIS countries.
- Virtual machine and sandbox detection using BIOS registry checks, screen resolution, and system uptime analysis.
- Anti-forensic memory wiping and DLL injection via process hollowing.
- UAC bypass using cmstp.exe — a legitimate Windows utility — to elevate privileges silently.
“The .NET payload also includes a UAC bypass abusing cmstp.exe… allowing the malware to run with elevated privileges without triggering User Account Control (UAC) prompts,” the Nextron team explains.
The infection begins with malicious JavaScript embedded in GZIP files, which downloads a base64-encoded PowerShell script that, in turn, retrieves an obfuscated payload hidden inside an image file hosted on archive.org. This payload is decoded in memory using .NET Reflection and then injected into the MSBuild process.
“This technique helps the malware evade detection by concealing its payload within benign-looking content,” the analysis notes.
The MSBuild-injected payload connects persistently to a command and control (C2) server and downloads additional malware modules — including browser-targeted DLLs.
One of the most dangerous capabilities is Katz Stealer’s ability to bypass Chrome’s encryption of stored credentials. After injecting into the browser process:
- It extracts the Local State file containing the decryption key.
- It stores plain-text decrypted keys in AppData using names like decrypted_chrome_key.txt.
- A modified version of an open-source decryption tool is used to unlock stored passwords and cookies.
By modifying index.js in the app.asar of Discord’s Electron-based app, Katz Stealer establishes a stealthy backdoor within Discord’s trusted process:
“The malicious code connects to twist2katz.com… It then executes remote JavaScript payloads within Discord’s process, establishing a persistent backdoor.”
Katz Stealer goes beyond common wallets, targeting over a dozen crypto applications and 154 wallet extensions, including Brave’s internal wallet system. It collects:
- Wallet files
- Private keys
- Full directory structures (recursively)
- Exfiltrates the data to a remote server
- Deletes temporary folders post-exfiltration
“The stolen data is immediately uploaded to a remote server… [and] the malware deletes the temporary folder to erase traces of its activity.”
The Nextron team provides YARA and Sigma rules to detect Katz Stealer artifacts and behaviors:
Additionally, defenders can monitor for suspicious PowerShell activity, UAC bypasses, and network connections to known C2 addresses.
Donate