The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

StrelaStealer Campaign Targeted US and EU

Apr 1, 2024 2:28:11 PM / by The Hivemind

STRELASTEALERVerticals Targeted: Technology, Finance, Legal Services, Manufacturing, Government, Energy, Insurance, Construction

Executive Summary

StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU. The newest version of StrelaStealer is more advanced than previous versions and includes features to help thwart analysis.

Key Takeaways

  • StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU. 
  • StrelaStealer is distributed via large scale spam campaigns.
  • The most recent StrelaStealer campaign targeted multiple verticals including technology, finance, legal services, manufacturing, government, energy, insurance, and construction.
  • The latest version of StrelaStealer uses an updated packer and a control flow obfuscation technique in an attempt to thwart analysis.

What is StrelaStealer?

StrelaStealer was recently used in a widespread campaign targeting over 100 entities in the US and EU. Palo Alto’s Unit 42 reported on this activity. StrelaStealer is capable of stealing email login data and sending it to the threat actor-controlled C2. StrelaStealer has been active since 2022, and the most recently documented StrelaStealer campaign was in late January 2024. Obtaining access to the victim’s email login information allows threat actors to engage in follow-up attacks.

StrelaStealer is distributed via large-scale spam campaigns. The emails contain attachments that initiate an infection chain, resulting in the launch of StrelaStealer’s DLL payload. The threat actors behind StrelaStealer are clever, changing the file format used from one campaign to another to help prevent signature or pattern-based detection.

The threat actors also updated the payload with more advanced obfuscation and anti-analysis capabilities. The latest version of StrelaStealer is more advanced than previous versions. It uses an updated packer and a control flow obfuscation technique in an attempt to thwart analysis. However, the DLL still includes the “Strela” string.

In the most recent campaign, StrelaStealer targeted multiple verticals, including technology, finance, legal services, manufacturing, government, energy, insurance, and construction. The spearphishing email used in the campaign masqueraded as an invoice. The threat actors used a zipped JScript to deliver the payload. Once the ZIP is opened, the JScript file is dropped, which in turn drops a Base64 encrypted file and a batch file. The encrypted file is decoded to create a PE DLL, which is dropped into a temp directory. The DLL is then executed using an exported hello function using rundll32.exe. 

IOCs

PolySwarm has multiple samples of StrelaStealer.

 

e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1

544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

 

You can use the following CLI command to search for all StrelaStealer samples in our portal:

$ polyswarm link list -f StrelaStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Government, Stealer, Energy, Manufacturing, Legal Services, Insurance, Construction, StrelaStealer, Email, Finance

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More