The emergence of the Strela Stealer malware has sent shockwaves through the cybersecurity landscape, particularly impacting users of Microsoft Outlook and Mozilla Thunderbird in several European countries. Since late 2022, this sophisticated infostealer has been at the center of large-scale phishing campaigns, with a focus on countries like Spain, Italy, Germany, and Ukraine.
These campaigns have taken a troubling turn, with cybercriminals now disguising malicious payloads within seemingly legitimate emails containing invoices. However, instead of a standard invoice, recipients are greeted with a ZIP archive housing the Strela Stealer malware loader, ready to wreak havoc on unsuspecting users.
The technical analysis of Strela Stealer reveals a sophisticated delivery mechanism through crafted phishing emails enticing recipients to open a ZIP file containing a JScript file. Once activated, this script establishes a connection with a command-and-control (C2) server to retrieve and execute a DLL file using the regsvr32 utility. The malware’s use of advanced obfuscation techniques, such as multi-layer obfuscation and control-flow flattening, poses significant challenges for security analysts attempting to dissect its operations.
Trustwave’s analysis sheds light on the complexity of Strela Stealer, highlighting the DLL’s convoluted structure with unnecessary arithmetic operations and lacking static imports, further complicating detection efforts. Upon execution, the malware verifies the system’s locale to ensure it aligns with targeted regions before proceeding to harvest email credentials from Microsoft Outlook and Mozilla Thunderbird.
For Outlook users, the malware steals and decrypts IMAP user, server, and password details from the registry before exfiltrating the stolen data via HTTP POST requests to a C2 server nestled within a Russian bulletproof hosting network. Not stopping there, Strela Stealer also collects system information and compiles a list of installed applications, all of which are sent to the C2 server.
The infrastructure supporting Strela Stealer is tied to the Proton66 OOO autonomous system, a network notorious for hosting various malware operations. The threat actor, known as ‘Hive0145′, has honed sophisticated social engineering tactics and technical evasion methods to maintain the malware’s efficacy, ensuring a constant threat to users’ sensitive data.
As the cybersecurity landscape continues to evolve, staying vigilant against targeted attacks like Strela Stealer is paramount in safeguarding valuable user information. The evolving nature of cyber threats underscores the need for robust cybersecurity measures to counteract malicious activities that jeopardize the privacy and security of individuals and organizations alike.