Introducing 'StrelaStealer': a malware threat targeting EU and US companies

In a recent study, researchers at Palo Alto Networks' Unit 42 threat intelligence division have discovered a widespread malware campaign known as StrelaStealer. This malicious software has affected over 100 organizations in both the European Union and the United States.

StrelaStealer is specifically designed to steal email credentials, compromising the login information of victims' email accounts and transmitting it to the attacker's command and control (C2) server. Initially documented by Berlin-based cybersecurity company DCSO CyTec in November 2022, StrelaStealer has undergone various evolutions in its distribution methods since its inception.

Earlier versions of the malware primarily targeted Spanish-speaking victims using lure documents, distributed through ISO files. However, the attackers have since modified their tactics to avoid detection. Palo Alto's research reveals that the email attachment file format has been changed from one campaign to another, preventing the use of previously generated signatures or patterns.

DCSO CyTec's research also highlighted that the November 2022 campaign relied on distributing the malware payload as DLL/HTML polyglot files, which are interpreted differently depending on the executing application. In contrast, the current wave of StrelaStealer attacks, observed by Unit 42, employs spear phishing emails with ZIP file attachments. Once the ZIP file is downloaded and extracted, JScript files are dropped onto the victim's system. These files create a portable executable DLL file, which deploys the malware when executed via rundll32.exe.

The latest version of StrelaStealer incorporates enhanced obfuscation techniques, making it more challenging for security teams to detect and analyze. The threat actors behind the campaign utilize an updated packer that employs control flow obfuscation, hindering forensic analysis.

Both the November 2023 and the more recent StrelaStealer campaigns targeted a significant number of organizations. The November 2023 campaign specifically focused on phishing attacks, affecting over 250 US organizations and nearly 100 European entities. The January 2024 wave of attacks witnessed over 500 assaults on US organizations and approximately 100 on European firms. Additionally, there was a spike in February, with around 250 attacks targeting US organizations.

Palo Alto's research indicates that StrelaStealer targets organizations across various industries. However, the "high tech" sector appears to be the primary focus of cybercriminals. During the January 2024 campaign, approximately 875 StrelaStealer-based attacks were launched against technology companies. Following high tech, finance, professional and legal services, and manufacturing were the most frequently targeted sectors, each experiencing around 125 StrelaStealer attacks.

To mitigate the risk of StrelaStealer infections, organizations are advised to educate their employees about exercising caution when handling unsolicited emails. Palo Alto's report provides indicators of compromise for different file types used in the infection chain, aiding in the detection and prevention of this malware threat.