StormKitty Stealer: Analyzing the Open-Source Malware

By Sydney ColeHardware Hacking

Cat Attack! Exploring the Open-Source StormKitty Stealer

It’s common knowledge that if you forget (or never knew) a password for a service but it’s saved in your browser, you can retrieve it. It’s equally well-known that any trojan that ends up on your computer can just as easily grab those saved passwords. Today, we’ll take a look at one such piece of malware with a cute name and show how it works.

During a pentest, it’s often necessary to demonstrate impact on a compromised machine. The most convincing proof of success for a client is a list of passwords from employees’ computers, and the excellent StormKitty stealer can help with that. It’s free, open-source, works reliably, and even sends results directly to Telegram. No wonder it was removed from GitHub (though not for long), and antivirus programs scream at the sight of it.

If you’re reading “Hacker,” there’s no point explaining what a stealer is or how it differs from a ransomware or RAT. Let’s just download the source code or a ready-made build from the project’s mirror on GitHub, unpack it, and take a closer look.

WARNING: The author and editors are not responsible for any harm caused by using the materials in this article. Distributing malware, unauthorized access to information, and violating privacy are criminal offenses. Penetration tests require a written agreement with the client.

StormKitty’s Multifunctional Paws

What can our “cat” do? According to the author, quite a lot. It steals data, fingerprints the system, and even has advanced features like anti-analysis and a built-in obfuscator. Here’s the full list of declared features:

  • Anti-analysis: Detects virtual machines (Hyper-V, VirtualBox, VMware), sandboxes (Sandboxie, COMODO), and online analysis systems (VirusTotal, Any.Run). The anti-debugger simply calls the WinAPI function CheckRemoteDebuggerPresent, and it checks if the external IP belongs to a hosting provider. Honestly, I expected more here.
  • Fingerprinting: Collects OS version, CPU and GPU details, RAM info, IP addresses, BSSID of nearby Wi-Fi, geolocation, screen info, and installed programs. It even generates a unique system identifier. Also grabs the Windows activation key and process list.
  • Browser data theft: Targets Chromium-based browsers (steals passwords, card data, cookies, history, autofill, bookmarks), Firefox (cookies, history, bookmarks, and other DB files), Internet Explorer and Microsoft Edge (passwords only).
  • Wi-Fi network info: Sends saved networks and scans for available ones (reporting SSID and BSSID).
  • File collection: Documents, images, source code, databases—anything valuable. It also works with USB drives. The code specifies which file formats are targeted, including C, C++, C#, Assembly, Bash, Python, HTML, CSS, PHP, Go, JavaScript, Ruby, Perl, Swift, Java, and Kotlin.
  • Banking and crypto service detection in browsers: This is clearly malicious and not recommended for testing.
  • Game platform session theft: Steam, Uplay, Battle.Net, and Minecraft.
  • Keylogger and clipper installation: The keylogger is straightforward, but the clipper is less known—it looks for certain data in the clipboard (like crypto wallet addresses) and replaces it with another.
  • Screenshots from screen and camera: The author claims the camera activates if the user is detected viewing explicit content.
  • VPN account theft: Targets ProtonVPN, OpenVPN, and NordVPN.
  • Local crypto wallet file theft: Specialized for Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, AtomicWallet, Guarda, and Coinomi.
  • Directory structure logging.
  • Telegram session copying: The attacker uses the same token as the original user, so no extra sessions appear in the active list.
  • Outlook, Pidgin, Skype, Discord, and Filezilla accounts.
  • Autostart: Implemented simply by copying the payload to the startup folder—no registry or task scheduler involved.

As you can see, the feature set is extensive (and many are clearly illegal). Despite this, the final build is only 239 KB and includes all dependencies.

Installation

If you downloaded the source code, you’ll need to build it. The code is in C# and easy to read, so you can study how such programs work “on a live patient.” I used Visual Studio 2019 with the .NET desktop development component. Everything compiled right away—surprisingly!

Instead of a server, StormKitty uses a Telegram bot. To use it, create a new bot and insert its token into your build. Send the /newbot command to the main bot and follow the instructions.

Copy the token (which you’ll receive) and paste it into the builder, which is a console app in C#. The build process consists of a few questions, after which you’ll get the path to the ready build. Some features (like the clipper and keylogger) require autostart to be enabled.

Obfuscation is done with ConfuserEx, which is included in the release version of the builder. I checked the output in dnSpy, and the code was completely unreadable.

INFO: ConfuserEx is a free, open-source protector for .NET applications. The original repository is abandoned, but there are active forks. It supports anti-debugging, memory dump protection, control flow obfuscation, and code encryption.

I also uploaded the obfuscated build to virustotal.com, where it was flagged by 35 out of 69 engines. Surprisingly, Avast, Dr.Web, and Kaspersky were silent. The builder itself was flagged by 51 out of 68 engines, likely due to the included payload.

Testing

I built the stealer manually from source, without the clipper, keylogger, or autostart. I also removed unnecessary features. On launch, I got a fake error message. Five minutes later, a long message arrived in Telegram with a link to a file. Let’s take a closer look.

All potentially sensitive data has been redacted. The message itself wasn’t particularly valuable, but a few errors stood out: Internal IP and Gateway IP didn’t match (because the internal IP belonged to a VPN), and the list of adapters and addresses wasn’t shown, even though I have over a dozen adapters (thanks, Microsoft Hyper-V!). Also, StormKitty didn’t detect my second monitor.

After downloading and unpacking the file, I saw a set of folders:

  • Browsers: Contains data from Chrome (autofill, bookmarks, history, cookies, downloaded files, and passwords), Internet Explorer (only an Azure Cloud Shell token), and Thunderbird (profiles extracted but still encrypted).
  • Directories: Tree structures of certain folders (Desktop, Documents, Downloads, Pictures, Startup, Videos, Temp). It’s unclear why this is useful.
  • Gaming: Useless in my case. It found Minecraft and grabbed screenshots and a list of installed versions.
  • Grabber: Collected 1,193 files totaling 2.2 MB—mostly junk, missing interesting files nearby. It did grab a folder where I clone GitHub repos, which could be valuable.
  • Messenger: The most interesting. Inside were Telegram and Discord folders. For Telegram, 16 files allowed me to log into my session by placing them in the tdata folder of a fresh Telegram binary (local password required, but brute-forcing four digits offline is trivial). For Discord, it grabbed the token (all found tokens are saved in tokens.txt) and session files.
  • System: General info about the target computer: screenshot (main monitor only), process list (with PID and executable path, but no launch arguments), Windows activation key, saved and available Wi-Fi networks, and active applications.

The process list includes PID and executable path, but not launch arguments. The list of saved Wi-Fi networks shows 65001 as the password for open networks (this is the active code page). The available networks list is accurate, showing SSID, BSSID, signal, and other details.

The last report file is a list of open windows, with window titles, PIDs, and executable paths. Again, no launch arguments are shown.

Conclusion

My impressions are mixed, so here are the pros and cons—decide for yourself if this tool is right for you.

  • Pros:
    • Compiles without issues on the first try
    • Build is only a few hundred kilobytes
    • Automatic obfuscation
    • Readable source code
    • Free
    • Many features
    • No need for C&C server
    • Cute cat theme
  • Cons:
    • Detected by many antiviruses (though not all)
    • No ability to control infected machines
    • Some features don’t work as intended (grabber, Thunderbird password extraction)
    • Doesn’t show some important info
    • Depends on .NET 4 (but .NET is easy to install, even on Windows XP, and preinstalled since Windows 7)
    • Sometimes buggy or has odd design choices (e.g., anti-debugging via direct WinAPI call)

There are more pros than cons, but the cons are significant. Some features couldn’t be tested, and I don’t want to speculate. Most importantly, remember: before using, you’ll need to disable protection or spend a night with protectors, packers, obfuscators, and other such tools.

Leave a Reply