Tuesday, November 12, 2024
HomeCyber AttackStrelaStealer Malware Hacked 100+ Organizations Across The EU And U.S

StrelaStealer Malware Hacked 100+ Organizations Across The EU And U.S

Published on

Malware protection

Strelastealer malware has been found to be distributed in large-scale campaigns that have currently impacted over 100 organizations across the U.S. and EU.

The malware was first discovered in 2022 and is capable of stealing a victim’s email login information and exfiltrating it to the threat actor’s C2 server.

However, the current campaigns were conducted in the form of spam emails with attachments for launching the StrelaStealer’s DLL payload.

- Advertisement - SIEM as a Service

As a means of evading detection at email gateways, threat actors have been changing the file format which prevents the matching of signatures and patterns.

Moreover, the last campaign conducted by the threat actors dates back to November 2023.

StrelaStealer Malware

According to the reports shared by Unit 42 researchers, the malware authors have been updating the DLL payload with better obfuscations and anti-analysis methods for making it extremely hard for analysts and security products to analyze the samples.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

Though several tactics have been used, the malware can still be detected due to the identifiable “strela” string in the DLL payload.

Nevertheless, the new variant of the malware is delivered as a zipped JScript, which employs an updated obfuscation technique in the DLL payload. 

The spam emails usually had the subject line with patterns of Factura (Bill – Spanish)/Rechnung (The invoice – German) /invoice###.

Moreover, it has also been discovered that the threat actors have been heavily targeting high-tech industries with this malware.

Example spam email from campaign (Source: Unit 42)

Malware Analysis

StrelaStealer’s previous variants involve the use of ISO files that contain an LNK file and an HTML file.

Additionally, the malware also used polyglot files that vary based on the applications being executed. 

Infection chain (Source: Unit 42)

When a victim clicks on the LNK file inside the ISO file, the HTML file is executed, which invokes the execution of the embedded StrelaStealer payload via rundll32.exe.

The initial DLL payload is encrypted which is decrypted during execution with the help of a constant XOR key, Unit 42 researchers said.

As of the current variant of the malware, the threat actors have been using spear-phishing emails with ZIP file attachments, which, when downloaded and opened, drop a JScript file on the system. 

Comparison between old and new version of StrelaStealer (Source: Unit 42)

Following this, the JScript file drops another base64-encrypted file and a batch file.

The base64-encrypted file is embedded with certutil -f decode command which will create a Portable Executable DLL file which is dropped into either %appdata%\temp or c:\temp based on the user’s privilege.

This DLL file is then executed using the exported hello function that uses the rundll32.exe process.

Moreover, the packer of the new variant also uses a control flow obfuscation technique which has a long code block containing numerous arithmetic functions for the purpose of preventing analysis of the malware by analysts and security products.

The payload size and the decryption key depends on the configuration of the payload.

Though the file attachments for every spam email differs, the presence of strings like strela, server.php, key4.db and login.json indicates their association with StrelaStealer malware.

Furthermore, the configuration of the payload also includes the communication with the C2 server for exfiltrating the email login data from the victims.

C2 server name mentioned in the StrelaStealer malware string (Source: Unit 42)

Indicators Of Compromise

SHA256 HashFiletype
0d2d0588a3a7cff3e69206be3d75401de6c69bcff30aa1db59d34ce58d5f799ae6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1DLL
f95c6817086dc49b6485093bfd370c5e3fc3056a5378d519fd1f5619b30f3a2eaea9989e70ffa6b1d9ce50dd3af5b7a6a57b97b7401e9eb2404435a8777be054b8e65479f8e790ba627d0deb29a3631d1b043160281fe362f111b0e080558680EML
3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4bZIP
544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45JS
193[.]109[.]85[.]231C2 server

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...