A recent upsurge of StrelaStealer malware attacks has targeted over a hundred organisations across the United States and Europe, aiming to steal email account information and details.
Starting in November last year, StrelaStealer became one of the most active malware operators since it has a sophisticated tactic in siphoning credentials from Outlook and Thunderbird accounts.
Based on reports, the malware operators employed a polyglot file infection method to bypass conventional security measures. Moreover, this campaign initially focused on Spanish-speaking users until the malware’s scope broadened significantly.
The StrelaStealer malware has started infecting European and American companies.
Investigations show that there is a notable shift to the StrelaStealer malware campaign after it expanded its attack scope to various individuals and organisations in the US and Europe.
The distribution mode capitalises on phishing campaigns, which escalated in November 2023. Unfortunately, recent reports stated that the affected entities have reached 250 organisations in the US targeted, with the operation persisting during this year.
Analysts saw a significant increase in activity between late January and early February 2024, with attacks in the US reaching more than hundreds on certain days. The confirmed compromises have surpassed 100 in both the US and Europe.
Additionally, the malware operators have incorporated English and various European languages into their tactics to adapt to different linguistic environments.
Some of the malware’s most targeted sectors include tech, finance, legal services, manufacturing, government, utilities and energy, insurance, and construction. While still reliant on malicious emails as the primary infection vector, the attackers have refined their infection mechanisms.
Previously, these attackers used emails that contained .ISO files attached with a .lnk shortcut and an HTML file, exploiting polyglotism to run the malware payload. However, the latest iteration leverages ZIP attachments to deploy JScript files onto victims’ systems.
These scripts then launch a batch and base64-encoded files to execute a DLL via rundll32.exe and deliver the StrelaStealer payload.
The malware now employs control flow obfuscation in its packing, complicating analysis and removing PDB strings to bypass security solutions by static signature-based tools. Despite these advancements, the primary objective is to rob email login information and transmit it to the attackers’ C2 server.
Users should exercise caution when handling unwanted emails, especially those involving payments or invoices, and avoid downloading attachments from unknown sources.
