Over 100 organizations in the EU and US have been impacted by StrelaStealer, a large-scale credential-stealing malware campaign, according to new research.
Researchers at Palo Alto Networks’ Unit 42 threat intelligence arm identified a “wave of large-scale StrelaStealer campaigns impacting” major organizations across both regions following a previous campaign towards the end of 2023.
StrelaStealer targets email credentials, exfiltrating the login data for the victim’s email account and sending it back to the attacker’s command and control (C2) server.
First documented in November 2022 by Berlin-based cyber security company DCSO CyTec, the infection methods used to distribute StrelaStealer have evolved since its initial deployment.
Early versions of the attacks used ISO files to distribute the malware, predominantly targeting Spanish speaking victims using lure documents.
Palo Alto’s research found the attackers changed the initial email attachment file format from one campaign to another in order to avoid detection using the previously generated signature or patterns.
DCSO CyTec’s research highlighted that the November 2022 campaign’s infection chain relied on distributing the payload as DLL/HTML polyglot files that are treated differently based on the executing application.
In contrast, the current StrelaStealer campaign observed by Unit 42 relies on spreading the payload via spear phishing emails with ZIP file attachments. This new attack drops JScipt files onto the victim’s system after they download and extract the ZIP file.
This JScript file uses a base64-encrypted file that, once decoded, creates a portable executable DLL file, which deploys the payload when executed via rundll32.exe.
The latest version of infection chain features better obfuscation techniques by the threat actors looking to conceal the new attack path and evade detection.
This was achieved using an updated packer employing a control flow obfuscation technique to hinder forensic analysis by security teams.
Both campaigns used DLL files as the payload with a malicious export function required to launch the attack, but Unit 42’s report noted the approach taken in the latest wave of attacks incorporated several modifications to impair analysis.
This included using excessively long code blocks consisting of arithmetic instructions, which could lead to timeouts during attempts to execute the samples in a sandbox environment by researchers.
“High tech’ a popular StrelaStealer target, with over 500 attacks on US organizations in January
The November 2023 campaign involved phishing attacks targeting over 250 organizations in the US, and just under 100 European entities, according to Unit 42 data.
The latest wave of StrelaStealer attacks took place in January 2024 and saw threat actors launch over 500 attacks on US organizations and around 100 on European firms, with another spike at the start of February that saw around 250 attacks targeting US organizations.
Protect your network infrastructure and data centers against DDoS attacks
Palo Alto’s research found the most recent campaign targeted organizations across several industries. However, the ‘high tech’ sector was by far the most popular target for cyber criminals.
Around 875 StrelaStealer-based attacks were launched at technology companies during the January 2024 campaign.
After high tech, the most frequently targeted industries were finance, professional and legal services, and manufacturing, with around 125 organizations in each sector subjected to StrelaStealer attacks.
Palo Alto’s report provided indicators of compromise for various file types used in the infection chain, and organizations are advised to ensure their employees are exercising caution when inspecting any unsolicited emails they receive.
