Large-Scale StrelaStealer Campaign in Early 2024

A pictorial representation of StrelaStealer.An opened envelope reveals a sheet with a malicious bug icon on it. An at sign is in the upper right.

Executive Summary

StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim’s email login information, which they can then use to perform further attacks. Since the first emergence of the malware in 2022, the threat actor behind StrelaStealer has launched multiple large-scale email campaigns, and there is no sign of them slowing down.

Recently, our researchers have identified a wave of large-scale StrelaStealer campaigns impacting over 100 organizations across the EU and U.S. These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload.

In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns. The malware author often updates the DLL payload with better obfuscation and anti-analysis tricks, which makes it increasingly difficult for analysts and security products to analyze.

This article delves deeper into the timeline of these more recent attacks and the evolving tactics employed by the malware.

Introduction to StrelaStealer

StrelaStealer malware is an email credential stealer first documented by DCSO_CyTec in their blog on Medium published on Nov. 8, 2022. Since the first emergence of the malware, the threat actor behind StrelaStealer has launched multiple large-scale email campaigns, typically across the EU and U.S.

For example, the last large-scale campaign launched in 2023 was around the November time frame. Our researchers have observed a new campaign launched in late January 2024 targeting multiple industries across the EU and U.S.

The basic goal of the StrelaStealer has not changed much, and the payload DLL is still identifiable with the strela string. However, we can see that the threat actor has updated the malware in an attempt to evade detection.

This new variant of StrelaStealer is now delivered through a zipped JScript and it employs an updated obfuscation technique in the DLL payload. We will provide more technical analysis and detail in this article.

Last Large-Scale Campaign of 2023

Since the emergence of StrelaStealer, we have observed its threat operators initiate multiple large-scale campaigns. WildFire researchers observed that the last large-scale campaign in 2023 happened in November, targeting organizations in the U.S. and EU. Figure 1 below shows the timeline of the 2023 November campaign.

Image 1 is a line graph comparing the attack count between the United States and the European Union in 2023, starting October 20th and ending November 19th. The highest period is from November 6 to November 8. This is the highest point for the United States. The European Union sees a similar trajectory to the United States, but it is much less pronounced. — Figure 1. November 2023 campaign.

Recent Large-Scale Campaign in 2024

A month into 2024, the threat actors behind StrelaStealer launched another large-scale campaign, again targeting organizations in the same geographic regions. Figure 2 below shows the timeline of the recent campaign that peaked on Jan. 29, 2024.

Image 2 is a line graph comparing the attack count between the United States and the European Union in 2024, starting January 15th and ending February 15th. The highest peak for the United States is between January 28 and January 30. There is a second peak from February 5 to February 7. Like the November campaign, the January 20, the attack count in the European Union and follow the same trajectory as the United States, but is much less higher. — Figure 2. January 2024 campaign.

The language of the StrelaStealer spam email seen during this campaign is localized and the subject line has the pattern of Factura/Rechnung/invoice####. Figure 3, below, is a sample email in German.

Image 3 is a screenshot of an email with some of the information redacted. The language in the email is a year is in German, and the message includes a zip file that is 179 kB in size. — Figure 3. Example spam email.

Figure 4 shows that while this recent campaign seems to target organizations in many industries, organizations in the high tech industry have been the largest target.

Image 4 is a bar chart of the count of industries affected by StrelaStealer. The first is high technology, which has the most at almost 1,000. The other seven industries have less than 250 counts each. This includes finance, professional and legal services, manufacturing, state and local government, utilities and energy, insurance and construction. — Figure 4. Count of StrelaStealer samples seen for top eight industries.

Technical Analysis of New StrelaStealer Variant

Original StrelaStealer Infection Chain and Payload Recap

As discussed in DCSO’s blog on Medium, earlier versions of StrelaStealer infect the system via email with an attached .iso file. The .iso file contains a .lnk file and a HyperText Markup Language (HTML) file. The technique makes use of polyglot files, which are files that can be treated differently based on the executing application.

When the victim clicks on the .lnk file contained within the .iso file, it executes the HTML and then invokes rundll32.exe to execute the embedded StrelaStealer payload. The initial payload has some encrypted strings, which are decrypted during the execution using a fixed XOR key, as shown in Figure 5.

Image 5 highlights where in the code the description key is. — Figure 5. Decryption key.

Updated Infection Chain

The current version of StrelaStealer spreads through spear phishing emails that contain a ZIP file attachment. Once the user downloads and opens the archive, a JScript file is dropped onto the system.

The JScript file then drops a Base64-encrypted file and a batch file. The Base64-encrypted file is decoded with the certutil -f decode command, resulting in the creation of a Portable Executable (PE) DLL file. Depending on the user’s privileges, the file drops into either %appdata%temp or c:temp on the local disk. The DLL file is then executed through the exported function hello using rundll32.exe.

Please see Figure 6 for the infection chain of the previous version and the newer variant.

Image 6 is the StrelaStealer infection chain. It starts with a malspam email and branches into new and old. The new infection chain is a zip to JavaScript to BAT file, Run DLL 32, and finally the StrelaStealer payload DLL. The old infection chain is ISO to HTML link to run DLL 32 to the StrelaStealer payload DLL. — Figure 6. Infection chain.

Updated Packer

In the newest variant of StrelaStealer seen in the January 2024 campaign, the packer has evolved and employs a control flow obfuscation technique to render analysis more difficult.

The initial function shown in Figure 7 contains an example control flow obfuscation technique of excessively long code blocks consisting of numerous arithmetic instructions. This serves as an anti-analysis technique, potentially leading to timeouts during the execution of samples in a sandbox environment.

Image 7 is a screenshot of multiple windows of code. Highlighted in red boxes is the notice that the code is too big to display. The length is also highlighted in red box on the top left. — Figure 7. Obfuscation (excessively large code block).

Both the original and the new StrelaStealer payload are DLL files with a malicious export function called to launch the attack. Figure 8 shows the payload DLL’s malicious export function side by side.

We can see that the older version of StrelaStealer (left side of Figure 8) was not well obfuscated as these function blocks are clean and easily readable when disassembled. However, the latest version on the right side of Figure 8 shows that the threat actors have employed control flow obfuscation to evade analysis and detection.

Figure 8 is two screenshots side-by-side comparing the export functions of the two different versions of StrelaStealer. On the left is the old version. On the right is the new version. — Figure 8. Export functions of old (left) and new (right) versions of StrelaStealer.

Based on the configuration shown in Figure 9, the payload size and decryption key are used to decrypt the payload. The decrypted payload is a memory-mapped PE file that is not similar to the one found in the earlier version of the StrelaStealer.

Figure 9 is a screenshot of encrypted code. It includes the key in green, the encrypted payload in yellow, and the payload size, labeled with red text. — Figure 9. Encrypted payload.

The presence of strings like strela, server.php, key4.db and login.json within the decrypted payload provides an indication that it is associated with StrelaStealer.

The main purpose of StrelaStealer is to steal email login data from well-known email clients and send it back to the C2 server defined in the malware configuration, as shown in Figure 10.

Image 10 is a screenshot of the StrelaStealer string and its C2 defined in the malware configuration. The StrelaStealer string is indicated by a red box, and the C2 is below it. — Figure 10. StrelaStealer string as well as C2 server name.

The StrelaStealer threat actor incorporated several noteworthy modifications, possibly as means to avoid being detected. For example, PDB strings (debugging symbol strings built in by the compiler) that were present in earlier versions of StrelaStealer, shown in Figure 11, can no longer be found in the samples from the latest campaign. This makes it less obvious that this is a StrelaStealer binary and could render certain naive static signatures useless if they relied on the existence of this string.

Image 11 is a screenshot of code where the PDB string is highlighted in blue. — Figure 11. PDB string from an early StrelaStealer sample.

Figure 12 shows that the export name has changed from StrelaStealer to hello.

Image 12 is a screenshot of the export name changes from Strela to hello. On the top is the earlier version of Strela. The information includes the ordinal, the function RVA, the name ordinal, the name RVA, and the name. The latest version of StrelaStealer is on the bottom and includes the same information, and indicates how it has changed. — Figure 12. Export name changes from Strela to hello.

Conclusion

StrelaStealer malware is an active email credential stealer that is always evolving. With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself. Attackers do this to evade detection by security vendors.

Information stealers are not new to the threat landscape. Though not exactly novel, the various evasion techniques and updates employed by StrelaStealer are effective at evading detection from more reactive signature or pattern-based solutions.

Indicators of Compromise

SHA256 Hash	Filetype
0d2d0588a3a7cff3e69206be3d75401de6c69bcff30aa1db59d34ce58d5f799ae6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1	DLL
f95c6817086dc49b6485093bfd370c5e3fc3056a5378d519fd1f5619b30f3a2eaea9989e70ffa6b1d9ce50dd3af5b7a6a57b97b7401e9eb2404435a8777be054 b8e65479f8e790ba627d0deb29a3631d1b043160281fe362f111b0e080558680	EML
3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4b	ZIP
544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45	JS
193[.]109[.]85[.]231	C2 server

MITRE TTP :

Initial Access [TA0001]:
- Technique: Spearphishing Attachment [T1566.001]
  - Procedure: StrelaStealer malware is spread through spear-phishing emails containing ZIP or ISO file attachments. Once the user downloads and opens the archive, a malicious JScript or LNK file is dropped onto the system, leading to the execution of the malware.
Defense Evasion [TA0005]:
- Technique: Obfuscated Files or Information [T1027]
  - Procedure: The StrelaStealer DLL payload employs obfuscation techniques, such as control flow obfuscation, to render analysis more difficult and evade detection by security products.
- Technique: Deobfuscate/Decode Files or Information [T1140]
  - Procedure: The JScript file drops a Base64-encrypted file which is then decoded using the certutil -f decode command, resulting in the creation of a Portable Executable (PE) DLL file.
- Technique: Modify System Process [T1050]
  - Procedure: The StrelaStealer payload is executed through an exported function (e.g., hello) using rundll32.exe, a legitimate Windows utility, to evade detection.
Credential Access [TA0006]:
- Technique: Unsecured Credentials: Credentials In Files [T1552.001]
  - Procedure: StrelaStealer aims to steal email login data from well-known email clients and send it back to the attacker’s Command and Control (C2) server.
Command and Control [TA0011]:
- Technique: Application Layer Protocol: Web Protocols [T1071.001]
  - Procedure: StrelaStealer communicates with its C2 server over HTTP/HTTPS to exfiltrate stolen data and possibly receive further commands.
Exfiltration [TA0010]:
- Technique: Exfiltration Over C2 Channel [T1041]
  - Procedure: Stolen email credentials are sent back to the attacker’s C2 server, which can then be used for further attacks or espionage activities.

Source: https://unit42.paloaltonetworks.com/strelastealer-campaign/

Tags: PAYLOAD, DEFENSE EVASION, WINDOWS, DNS, EXFILTRATION, CREDENTIAL, CLOUD, XDR