1.0 Introduction
StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim’s email login information, which they can then use to perform further attacks. Since the first emergence of the malware in 2022, the threat actor behind StrelaStealer has launched multiple large-scale email campaigns and there is no sign of them slowing down.
The email credential stealer, StrelaStealer was initially identified on November 8, 2022, by DCSO_Cytec in their Medium blog. The threat actor behind StrelaStealer has conducted several massive email campaigns since the malware’s initial appearance, usually spanning the EU and the US. For instance, in November of 2023, a major campaign was last launched. Recently, there is a new campaign launched that targets several industries in the US and the EU and was initiated in late January 2024.
StrelaStealer’s primary objective remains unchanged, and the payload DLL can still be recognized by its strela string. But it’s clear that the threat actor updates the malware in an attempt to evade detection. The new variant of StrelaStealer uses an enhanced DLL payload obfuscation approach and is now delivered through a zipped Jscript file.
Figure 1: Last Large-Scale Campaign in November 2023.
Figure 2: Recent Large-Scale Campaign in January 2024.
During this campaign, the language used in the StrelaStealer spam emails is localized, and the subject line follows a pattern such as “Factura/Rechnung/invoice####.”
Figure 3: Example spam email.
Figure 4 illustrates that although the recent campaign appears to target organizations across various industries, those in the high-tech sector have been the primary focus.
Figure 4: Count of StrelaStealer sample seen for top eight industries.
2.0 Impact
The threat actor would gain access to the victim’s email login credentials, which they can then use to perform further attacks.
3.0 Technical Details
3.1 Technical Details of New StrelaStealer Variant
3.1.1 Original StrelaStealer Infection Chain and Payload
Earlier versions of StrelaStealer, as detailed in DCSO’s blo on Medium, employed email-based infection utilizing attached .iso files. These .iso files were compromised of both a .Ink file and a HyperText Markup Language (HTML) file. The attack utilized polyglot files, which could be interpreted differently depending on the executing application.
Upon the victim clicking on the .Ink file within the .iso file, the HTML file would execute, subsequently invoking rundll32.exe to the embedded StrelaStealer payload. During execution, the initial payload contained encrypted strings, which were decrypted using a fixed XOR key.
Figure 5: Decryption key.
3.1.2 Updated Infection Chain
In the current version of StrelaStealer, the distribution method has evolved to spear-phishing emails containing ZIP file attachments. Upon downloading and opening the archive, a JScript file is dropped onto the system.
Subsequently, the JScript file drops both a Base63-encrypted file and a batch file. The Base64-encrypted file undergoes decoding via the certutil -f decode command, resulting in the generation of a Portable Executable (PE) DLL file. Depending on the user’s privileges, this file is then placed either in %appdata%\temp or c:\temp on the local disk. Finally, the DLL file is executed using the exported function “hello” via rundll32.exe.
Figure 6: Infection Chain of the previous version and the newer variant.
3.1.3 Updated Packer
In the latest iteration of StrelaStealer observed during the January 2024 campaign, significant advancements have been made in the packer, notably employing a control flow obfuscation technique to hinder analysis efforts.
Highlighted in Figure 7, the initial function demonstrates this obfuscation methlastod through excessively long code blocks comprising numerous arithmetic instructions. This approach serves as an anti-analysis measure, potentially causing timeouts when executing samples within a sandbox environment.
Figure 7: Obfuscation (excessively large code block).
Both the original and the updated StrelaStealer payloads are DLL files featuring a malicious export function responsible for initiating the attack. Figure 6 provides a comparison of these payload DLL’s malicious export functions.
Observing the older version of StrelaStealer (left side of Figure 8), it becomes apparent that minimal obfuscation was employed, as the function block remains clean and easily readable upon disassembly. Conversely, the latest version (right side of Figure 8) reveals the utilisation of control flow obfuscation by threat actors to elude analysis and detection efforts.
Figure 8: Export function of old (left) and new (right) versions of StrelaStealer.
Referring to the configuration depicted in Figure 9, the decryption process involves utilizing both the payload size and decryption key. Through this process, the payload undergoes decryption, resulting in a memory-mapped PE file. Notably, this decrypted payload differs significantly from the one observed in earlier versions of StrelaStealer.
Figure 9: Encrypted payload.
The presence of strings such as “strela”, “server.php,” “key4.db,” and “login.json” within the decrypted payload strongly suggests its associated with StrelaStealer.
The primary objective of StrelaStealer is to pilfer email login credentials from popular email clients and transmit them back to the Command and Control (C2) server specified in the malware configuration.
Figure 10: StrelaStealer string as well as C2 server name.
The StrelaStealer threat actor has introduced several significant modifications. Likely aimed at evading detection. Notably, earlier versions of StrelaStealer contained PDB strings, which are debugging symbol strings inherent in the compiler. However, in samples from the latest campaign, these PDB strings are no longer present, making it less apparent that the binary is associated with StrelaStealer. This omission could render certain naïve static signatures ineffective, particularly those reliant on the presence of these strings.
Figure 11: PDB string from early StrelaStealer sample.
Figure 10 shows that the export name has changed from StrelaStealer to hello.
Figure 10: Export name changes from Strela to hello.
4.0 Indicators of Compromised (IoCs)
SHA256 Hash | Filetype |
| 0d2d0588a3a7cff3e69206be3d75401de6c69bcff30aa1db59d34ce58d5f799a | DLL |
| e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1 | |
| f95c6817086dc49b6485093bfd370c5e3fc3056a5378d519fd1f5619b30f3a2e | EML |
| aea9989e70ffa6b1d9ce50dd3af5b7a6a57b97b7401e9eb2404435a8777be054 | |
| b8e65479f8e790ba627d0deb29a3631d1b043160281fe362f111b0e080558680 | |
| 3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4b | ZIP |
| 544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45 | JS |
| 193[.]109[.]85[.]231 | C2 server |
5.0 Recommendation
CyberSecurity Malaysia recommends users and administrators to review the following mitigation and apply the necessary updates:
- Email Filtering and Spam Detection: Configure email filtering systems to detect and quarantine emails containing known StrelaStealer indicators, such as specific attachment types (e.g., .iso, .zip) or subject line patterns (e.g., "Factura/Rechnung/invoice####").
- Block Known C2 Server IP Addresses: Maintain a blacklist of known Command and Control (C2) server IP addresses associated with StrelaStealer and block them at the network perimeter using firewalls or intrusion prevention systems (IPS).
- Endpoint Protection: Deploy endpoint security solutions that include signature-based detection as well as behavior-based analysis to detect and prevent StrelaStealer infections on endpoints. Ensure that endpoint protection software is regularly updated with the latest threat intelligence.
- Disable Autorun: Disable autorun features on endpoints to prevent the automatic execution of files from removable media, which could be used by StrelaStealer to propagate.
- Web Filtering: Implement web filtering to block access to websites hosting StrelaStealer payloads or related malicious content. This can help prevent users from inadvertently downloading and executing StrelaStealer.
- Regular Software Updates: Keep operating systems, software applications, and security solutions up-to-date with the latest patches and updates to address vulnerabilities that could be exploited by StrelaStealer.
- Network Segmentation: Segment network resources to limit the spread of StrelaStealer in case of an infection. Restrict communication between network segments to contain the impact of compromised systems.
- User Training and Awareness: Provide regular cybersecurity awareness training to employees to educate them about the risks of phishing emails, malicious attachments, and other common tactics used by StrelaStealer attackers. Encourage a culture of skepticism and vigilance when interacting with email attachments or links.
- Incident Response Plan: Develop and maintain an incident response plan specifically tailored to respond to StrelaStealer infections. Ensure that the plan includes procedures for identifying, containing, and mitigating the impact of StrelaStealer attacks.
- Threat Intelligence Sharing: Share threat intelligence about StrelaStealer with relevant industry groups, information sharing and analysis centres (ISACs), and cybersecurity communities to help others defend against this threat.
Users and administrators are advised to use products such as listed below for better protection from StrelaStealer:
- Cortex XDR with Advanced WildFire: With cloud-delivered static and dynamic analysis capabilities, Advanced WildFire is able to help detect new variants of StrelaStealer. Cortex XDR helps prevent StrelaStealer’s attack chain.
- Next-Generation Firewalls with cloud-delivered security services including Advanced WildFire detection, Advanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.
- Prisma Cloud Defender agents should be deployed on cloud-based Windows VMs to ensure they are protected from these known malicious binaries. WildFire signatures can be used by both Palo Alto Networks cloud services to ensure cloud-based Windows VM runtime operations are being analyzed and those resources are protected.
Generally, we advise the users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact us through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
6.0 References
- https://unit42.paloaltonetworks.com/strelastealer-campaign/
- https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
- https://www.bleepingcomputer.com/news/security/over-100-us-and-eu-orgs-targeted-in-strelastealer-malware-attacks/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer
- https://gbhackers.com/strelastealer-malware-attacks-eu-us/