New StrelaStealer Phishing Attacks Hit Over 100 Organizations in E.U. and U.S.

A new wave of phishing attacks has surfaced that endeavors to deliver a malicious and continually evolving information stealer malware known as StrelaStealer. Palo Alto Network’s Unit 42 Researchers have identified multiple instances of StrelaStealer campaigns that have affected over a hundred organizations in Europe and the United States. These campaigns utilize email phishing tactics with attachments that carry the malicious StrelaStealer DLL payload as a means to gain initial access. StrelaStealer was first disclosed in November 2022 and has the capability to siphon email login data from popular email clients and exfiltrate them to a C2 Server. Two large-scale campaigns have been witnessed in the wild utilizing StrelaStealer, targeting a variety of critical infrastructure sectors. The basic goal of StrelaStealer has not changed much regarding the payload. This new variant is delivered through a ZIP file attachment containing the malicious JScript file. However, these attacks employ a new variant of StrelaStealer that is updated with better obfuscation against sandbox environments and anti-analysis tricks which include changing the file format of the phishing attachment to evade payload-based signatures that detect patterns in the content of the file instead of traditional scanning which detects attributes and file hashes associated with malicious intent. Another obfuscation technique involves excessively long machine code blocks that can cause timeouts when researchers analyze it in a sandbox environment.

The disclosure comes as Broadcom-owned Symantec revealed that fake installers for well-known applications or cracked software hosted on GitHub, Mega, or Dropbox are serving as a conduit for a stealer malware known as Stealc. Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered and employing a cryptors-as-a-service (CaaS) called AceCryptor, per ESET.

Security Officer Comments:
Researchers were able to conclude that this campaign is associated with new StrelaStealer malware because of strings discovered in the decrypted payload such as “strela”, “server.php”, “key4.db”, and “login.json”. Updating the file format of the email attachment as well as changing the DLL payload helps the stealer effectively evade detection even from highly reactive pattern detection software. This campaign follows after a new cluster of activity tracked as Fluffy Wolf also utilizes phishing email executable attachments to deliver a variety of information stealers and remote access trojans. The frequency of campaigns similar to this one is an indication that even unskilled bad actors can conduct successful attacks at scale for a decent profit because of Malware-as-a-Service (MaaS).

Suggested Corrections:
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Report phishing emails to the appropriate security or I.T. staff immediately

Palo Alto Networks has shared the IOCs relevant to this campaign here: