The cybersecurity panorama has lately been impacted by the emergence of the Strela Stealer malware, a classy infostealer designed to focus on particular e mail shoppers, notably Microsoft Outlook and Mozilla Thunderbird.
This malware has been energetic since late 2022 and has been primarily utilized in large-scale phishing campaigns concentrating on customers in a number of European international locations, together with Spain, Italy, Germany, and Ukraine.
The campaigns have developed to incorporate sending legitimate-looking emails with invoices, however as a substitute of the particular bill, they comprise a ZIP archive with the Strela Stealer malware loader.
Technical Evaluation and Supply Mechanism
Strela Stealer is delivered by means of crafted phishing emails that encourage recipients to open a ZIP file, which accommodates a JScript file.
As soon as executed, this script connects to a command-and-control (C2) server to obtain and execute a DLL file utilizing the regsvr32 utility.
The malware employs superior obfuscation strategies, together with multi-layer obfuscation and control-flow flattening, making it difficult to research.
In accordance with Trustwave Report, the DLL is filled with pointless arithmetic operations and lacks static imports, additional complicating detection.
Operation and Exfiltration
After profitable execution, Strela Stealer verifies the system’s locale to make sure it matches focused areas.
If confirmed, it proceeds to steal e mail credentials from Microsoft Outlook and Mozilla Thunderbird.
For Outlook, it retrieves and decrypts IMAP consumer, server, and password particulars from the registry.
The stolen knowledge is exfiltrated through HTTP POST requests to a C2 server hosted inside a Russian bulletproof internet hosting community.
Moreover, the malware gathers system info and lists put in purposes, that are additionally despatched to the C2 server.
The Strela Stealer’s infrastructure is linked to the Proton66 OOO autonomous system, a community identified for internet hosting varied malware operations.
The menace actor behind Strela Stealer, dubbed ‘Hive0145’, has developed refined social engineering techniques and technical evasion strategies to take care of the malware’s effectiveness.
As cybersecurity threats proceed to evolve, understanding and mitigating such focused assaults stays essential for shielding delicate consumer knowledge.
Accumulate Menace Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Strive totally free