Verticals Targeted: Technology, Finance, Legal Services, Manufacturing, Government, Energy, Insurance, Construction
Executive Summary
StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU. The newest version of StrelaStealer is more advanced than previous versions and includes features to help thwart analysis.
Key Takeaways
- StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU.
- StrelaStealer is distributed via large scale spam campaigns.
- The most recent StrelaStealer campaign targeted multiple verticals including technology, finance, legal services, manufacturing, government, energy, insurance, and construction.
- The latest version of StrelaStealer uses an updated packer and a control flow obfuscation technique in an attempt to thwart analysis.
What is StrelaStealer?
StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU. Palo Alto’s Unit 42 reported on this activity. StrelaStealer is capable of stealing email login data and sending it to the threat actor-controlled C2. StrelaStealer has been active since 2022, and the most recently documented StrelaStealer campaign was in late January 2024. Obtaining access to the victim’s email login information allows threat actors to engage in follow-up attacks.
StrelaStealer is distributed via large-scale spam campaigns. The emails contain attachments that initiate an infection chain, resulting in the launch of StrelaStealer’s DLL payload. The threat actors behind StrelaStealer are clever, changing the file format used from one campaign to another to help prevent signature or pattern-based detection.
The threat actors also updated the payload with more advanced obfuscation and anti-analysis capabilities. The latest version of StrelaStealer is more advanced than previous versions. It uses an updated packer and a control flow obfuscation technique in an attempt to thwart analysis. However, the DLL still includes the “Strela” string.
In the most recent campaign, StrelaStealer targeted multiple verticals, including technology, finance, legal services, manufacturing, government, energy, insurance, and construction. The spearphishing email used in the campaign masqueraded as an invoice. The threat actors used a zipped JScript to deliver the payload. Once the ZIP is opened, the JScript file is dropped, which in turn drops a Base64 encrypted file and a batch file. The encrypted file is decoded to create a PE DLL, which is dropped into a temp directory. The DLL is then executed using an exported hello function using rundll32.exe.
IOCs
PolySwarm has multiple samples of StrelaStealer.
e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1
544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45
You can use the following CLI command to search for all StrelaStealer samples in our portal:
$ polyswarm link list -f StrelaStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.