FOCUS MODE
EXTRACT IOC
Threat Research

A Deep Dive into Strela Stealer and How It Targets European Countries

Securonix
A Deep Dive into Strela Stealer and How It Targets European Countries
The Strela Stealer is a targeted infostealer malware that primarily focuses on extracting email credentials from users of Mozilla Thunderbird and Microsoft Outlook in select European countries. Delivered through phishing campaigns, it employs sophisticated social engineering techniques to trick victims into executing its payload. The malware’s infrastructure is linked to Russian hosting services, and it utilizes complex obfuscation methods to evade detection. Affected: Mozilla Thunderbird, Microsoft Outlook, Spain, Italy, Germany, Ukraine

Keypoints :

  • The Strela Stealer targets email credentials specifically from Mozilla Thunderbird and Microsoft Outlook.
  • It is active since late 2022 and has been distributed through phishing campaigns, primarily in Spain, Italy, Germany, and Ukraine.
  • Attackers use advanced social engineering tactics, including sending fake invoices with attached ZIP files containing the malware.
  • The malware employs complex obfuscation techniques to hinder analysis and detection.
  • Strela Stealer is believed to be operated by a single threat actor known as ‘Hive0145.’
  • The command-and-control infrastructure is associated with Russian bulletproof hosting providers.
  • The malware checks for the system’s locale before conducting its data exfiltration activities.
  • It exfiltrates data via HTTP POST requests to specific servers.
  • Strela Stealer utilizes multiple stages of execution, including an initial loader and subsequent packed DLLs for data extraction.

MITRE Techniques :

  • Command-Line Interface (T1059.004) – Uses JScript to execute a script file via wscript.exe.
  • Obfuscated Files or Information (T1027) – Employs multi-layer obfuscation to complicate malware analysis.
  • Credential Dumping (T1003.001) – Extracts credentials from Mozilla Thunderbird’s and Microsoft Outlook’s profile files.
  • Exfiltration Over Web Service (T1041) – Exfiltrates stolen credentials through HTTP POST requests to C2 servers.
  • Execution Guardrails (T1480) – Implements system locale checks to ensure operation within specified geographic bounds.

Indicator of Compromise :

  • [Filename] 1692630503222433608.js
  • [Filename] 1909835116765.dll
  • [SHA256] f5c54fce6c9e2f84b084bbf9968c9a76d9cd74a11ccf4fcba29dbe2e4574e3d7
  • [SHA256] 9c49266e315eb76ce73cbe542cfd2bbf28844689944ac8776daecbdcdecd8cf8
  • [IP Address] 193.143[.]1.205

Full Story: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries/

Tags: CREDENTIAL, DEFENSE EVASION, PASSWORD, EXFILTRATION, WINDOWS, PAYLOAD, SOCIAL ENGINEERING, PHISHING