Hive0145, an IAB, has been actively targeting European organizations since mid-2023 by primarily using Strela Stealer, a credential-stealing malware delivered via phishing emails with weaponized attachments.
Initially, they employed generic phishing lures, but in early 2024, they began using stolen emails from various industries to enhance their attacks’ legitimacy.
Recently, they’ve expanded their targeting to Ukraine, utilizing stolen invoice emails, which highlights their increasing sophistication and adaptability in their cyber operations.
The threat actor Hive0145 has recently escalated their phishing tactics, employing attachment hijacking to distribute malicious payloads by stealing legitimate emails, replacing the attachments with malware-laden files, and sending them to a wider audience.
It, coupled with automation, has enabled them to launch large-scale campaigns targeting Spanish, German, and Ukrainian users, where the stolen emails often originate from various sectors, including finance, technology, and manufacturing, making the attacks highly convincing and difficult to detect.
It has employed increasingly sophisticated techniques to distribute Strela Stealer. Initially, they used polyglot files to bypass security solutions and later, they leveraged stolen digital certificates to sign malicious binaries, enhancing their legitimacy.
The use of targeted phishing campaigns that included encrypted attachments and filenames that were specific to the domain was employed in order to avoid detection.
Additionally, uncommon file extensions like .com and .pif were used to execute malicious payloads, which demonstrate a high level of technical sophistication and a continuous effort to adapt to evolving security measures.
Recent Strela Stealer campaigns employ obfuscated scripts to download and execute a crypted DLL, which is encrypted using Stellar Crypter, a tool exclusively used by Hive0145 since May 2023.
Stellar Loader, a highly obfuscated crypter, decrypts the XOR-encrypted Strela Stealer payload and executes it, primarily targeting email credentials from Microsoft Outlook and Thunderbird.
According to Security Intelligence, after encrypting the data, it sends it to a hardcoded C2 server, together with information about the system and a list of applications that have been installed.
It is a malware primarily targeting Spanish-speaking users and has expanded its scope to include Ukrainian victims, which is facilitated by a modified language verification mechanism using the GetKeyboardLayoutList API and a secondary check based on locale information.
A .NET variant was observed, obfuscated using Aldaray Rummage, indicating increased sophistication and a potential shift in targeting, as their primary goal remains the theft of email credentials, potentially for use in attachment hijacking and subsequent financial gain.
.webp?w=1200&resize=1200,0&ssl=1 "Beware of Fake Facebook Account Deletion Message that Steals Login")
