According to new research, more than 100 organizations in the EU and US have been affected by StrelaStealer, a large-scale credential theft malware campaign.
Researchers from Palo Alto Networks' Unit 42 threat intelligence arm identified a “wave of large-scale StrelaStealer campaigns impacting” major organizations in both regions following a previous campaign towards the end of 2023.
StrelaStealer targets email credentials, extracting login data from the victim's email account and sending it back to the attacker's command and control (C2) server.
First documented In November 2022 by Berlin-based cybersecurity company DCSO CyTec, the infection methods used to distribute StrelaStealer have evolved since its initial deployment.
Early versions of the attacks used ISO files to distribute the malware, primarily targeting Spanish
Victims speaking using decoy documents.
Palo Alto investigation discovered that attackers changed the format of the initial email attachment from one campaign to another to avoid detection using the previously generated signature or patterns.
DCSO CyTec's investigation highlighted that the infection chain of the November 2022 campaign was based on the distribution of the payload as polyglot DLL/HTML files that are treated differently depending on the application being run.
In contrast, the current StrelaStealer campaign observed by Unit 42 relies on spreading the payload via phishing emails with ZIP attachments. This new attack places JScipt files on the victim's system after downloading and extracting the ZIP file.
This JScript file uses a base64 encrypted file which, once decoded, creates a portable executable DLL file, which implements the payload when executed via rundll32.exe.
The latest version of the infection chain features improved obfuscation techniques by threat actors seeking to hide the new attack path and evade detection.
This was achieved using an updated packager that employs a control flow obfuscation technique to make forensic analysis by security teams more difficult.
Both campaigns used DLL files as payloads with a malicious export function needed to launch the attack, but the Unit 42 report noted that the approach taken in the latest wave of attacks incorporated several modifications to impair analysis.
This included the use of excessively long blocks of code consisting of arithmetic instructions, which could cause timeouts during the researchers' attempts to run the samples in a sandbox environment.
“High tech,” a popular StrelaStealer target, with over 500 attacks on US organizations in January
The November 2023 campaign involved phishing attacks targeting more than 250 organizations in the US and just under 100 European entities, according to Unit 42 data.
The latest wave of StrelaStealer attacks took place in January 2024 and saw threat actors launch over 500 attacks against US organizations and around 100 against European companies, with another peak in early February that saw around 250 attacks targeted US organizations.
Palo Alto's investigation found that the most recent campaign targeted organizations across several industries. However, the “high-tech” sector was by far the most popular target for cybercriminals.
Around 875 StrelaStealer-based attacks were launched against technology companies during the January 2024 campaign.
After high tech, the most frequently attacked industries were finance, professional and legal services, and manufacturing, with around 125 organizations in each sector subject to StrelaStealer attacks.
The Palo Alto report provided indicators of compromise for several types of files used in the infection chain, and organizations are advised to ensure their employees exercise caution when inspecting any unsolicited emails they receive.