StrelaStealer | |
Type of Malware | Infostealer |
Country of Origin | Unknown |
Date of initial activity | 2022 |
Associated Groups | Unknown |
Targeted Countries | US and EU |
Motivation | The main purpose of StrelaStealer is to steal email login data from well-known email clients and send it back to the C2 server defined in the malware configuration |
Attack vectors | Earlier versions of StrelaStealer infect the system via email with an attached .iso file. The last version of StrelaStealer spreads through spear phishing emails that contain a ZIP file attachment. |
Targeted systems | Windows |
Variants | Unknown |
Overview
The StrelaStealer malware is an evolving threat designed to steal email credentials by targeting popular email clients. Once compromised, the attacker gains unauthorized access to the victim’s email account, facilitating further malicious actions.
Since its emergence in 2022, the threat actor orchestrating StrelaStealer has conducted numerous extensive email campaigns, continually updating the malware and its delivery methods to evade detection by security measures.
Targets
Since the first emergence of the malware, the threat actor behind StrelaStealer has launched multiple large-scale email campaigns, typically across the EU and U.S. Recent campaigns seems to target organizations in many industries, organizations in the high tech industry have been the largest target.
Techniques Used
DISCOVERY
- Software Discovery – Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
- File and Directory Discovery – Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
- Query Registry – Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
- System Information Discovery – Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture.
EXECUTION
- Windows Command Shell – Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems.
- JavaScript – Adversaries may abuse various implementations of JavaScript for execution. JavaScript is a platform-independent scripting language commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.
DEFENSE EVASION
- Obfuscated Files or Information – Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
- RunDLL32 – Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.
- Deobfuscate/Decode Files or Information – Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.
- Debugger Evasion – Adversaries may employ various means to detect and avoid debuggers.
INITIAL ACCESS
- Spearphishing Attachment – Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
COLLECTION
- Archive Collected Data – An adversary may compress and/or encrypt data that is collected prior to exfiltration.
- Automated Collection – Once established within a system or network, an adversary may use automated techniques for collecting internal data.
- Data from Local System – Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
- Email Collection – Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries.
EXFILTRATION
- Exfiltration Over C2 Channel – Adversaries may steal data by exfiltrating it over an existing command and control channel.
Significant Malware Campaigns
- StrelaStealer Aims for European Nations. (April 2024)
- StrelaStealer malware steals email login data from well-known email clients. (March 2024)
- Strela malware landed in Italy. (May 2023)
- StrelaStealer is an infostealer variant initially discovered back in 2022 and known to be targeting specifically Spanish users. (May 2023)
- ASEC analysis team confirms that StrelaStealer Infostealer is being distributed to Spanish users. (May 2023)
- StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird. (November 2022)
References:
- Updated StrelaStealer Targeting European Countries
- Large-Scale StrelaStealer Campaign in Early 2024
- Technical Analysis and Considerations on Strela Malware
- StrelaStealer malware continues to target Spanish users
- StrelaStealer Being Distributed To Spanish Users
- New StrelaStealer malware steals your Outlook, Thunderbird accounts
- ShortAndMalicious: StrelaStealer aims for mail credentials