Researchers Uncover Stealthy Tactics and Techniques of StrelaStealer Malware

Cybersecurity experts have recently shed light on the sophisticated operations of StrelaStealer, also known by its alias Strela, revealing a suite of stealthy tactics employed in its information theft campaigns. 

This malware, spotlighted by IBM Security X-Force for its association with the HIVE-0145 threat actor group, targets email credentials from prominent clients like Microsoft Outlook and Mozilla Thunderbird.

StrelaStealer begins its assault through large-scale phishing campaigns, distributing malicious payloads hidden within ZIP archives. 

These archives contain JavaScript files that, when executed, initiate a chain of malware infection. 

The initial JavaScript decodes itself using the legitimate CertUtil utility, a method discovered in the recent analyses by IBM and AttackIQ. 

This leads to the deployment of a Dynamic Link Library (DLL) payload, which is then executed in memory, evading many traditional security measures.

Advanced Evasion and Execution Tactics

By March 2024, StrelaStealer’s campaign had escalated, targeting over 100 organizations across the EU and U.S., with a particular focus on regions like Italy, Spain, Germany, and Ukraine. 

The attackers have shown an adeptness at evasion by varying initial email attachment formats and enhancing the DLL payload’s obfuscation. 

This payload uses native Windows utilities like RunDLL32 or RegSvr32 to execute, reducing the likelihood of detection by security software that might flag external executables.

Discovery and Data Exfiltration

Once embedded within a system, StrelaStealer conducts thorough reconnaissance, gathering essential system information. 

It employs system calls like GetComputerNameA to fetch the NetBIOS name, GetLocaleInfoA for country locale, and uses PowerShell scripts to enumerate installed applications. 

For exfiltration, the malware leverages HTTP POST requests, sending collected data to attacker-controlled servers over unencrypted channels, a tactic observed in recent campaigns.

Given the complexity and the array of techniques used, focusing on key preventive measures is crucial. 

Attackers heavily rely on downloading additional malware stages, prompting recommendations for robust endpoint and network security controls to detect malicious downloads. 

Detecting anomalies in process execution, like commands executed in temporary directories or using native tools in unusual ways, provides opportunities for early detection.

According to the Report, StrelaStealer represents a significant threat with its ever-evolving strategies for evasion and persistence. 

The continuous evolution of its techniques underscores the importance of proactive defense strategies. 

Security teams are encouraged to utilize comprehensive attack graphs provided by platforms like AttackIQ to simulate and assess their defenses against this malware, ensuring systems are not just reactive but anticipatory to emerging threats.

Understanding and countering StrelaStealer’s tactics requires a proactive and multi-faceted approach to cybersecurity, emphasizing the significance of staying ahead in the cybersecurity arms race through continuous simulation and enhancement of security measures.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!