Threat Research

Emulating the Stealthy StrelaStealer Malware

AttackIQ
Emulating the Stealthy StrelaStealer Malware

StrelaStealer is an information-stealing malware that has emerged in 2022, primarily targeting email credentials from clients like Microsoft Outlook and Mozilla Thunderbird. It spreads through phishing campaigns that use ZIP files containing malicious JavaScript files, which then download harmful DLLs. The malware has impacted over 100 organizations in the EU and the U.S., particularly in Italy, Spain, Germany, and Ukraine, and is linked to the HIVE-0145 threat actor group. Affected: StrelaStealer, HIVE-0145, Email Security, Organizations in EU and U.S.

Keypoints :

  • StrelaStealer is designed to steal email account credentials.
  • Dissemination occurs through phishing emails with attached ZIP archives.
  • The initial payload is a JavaScript file that retrieves a DLL from a WebDAV server.
  • Over 100 organizations, particularly in Italy, Spain, Germany, and Ukraine, have been targeted.
  • Linked to the HIVE-0145 threat actor group, focused on credential theft.
  • AttackIQ has created attack graphs to help validate security controls against this threat.
  • Recent campaigns have featured updated evasion tactics, including the use of WScript and PowerShell.

MITRE Techniques :

  • Ingress Tool Transfer (T1105): Downloads malicious samples to memory and disk.
  • Deobfuscate/Decode Files or Information (T1140): Utilizes CertUtil to decode a base64 payload.
  • System Binary Proxy Execution: Rundll32 (T1218.011): Executes a DLL via rundll32.exe.
  • Command and Scripting Interpreter: JavaScript (T1059.007): Executes JavaScript files using cscript.exe.
  • Command and Scripting Interpreter: PowerShell (T1059.001): Runs encoded PowerShell commands.
  • System Information Discovery (T1082): Collects system information using systeminfo and API calls.
  • Software Discovery (T1518): Executes PowerShell scripts to list installed applications.
  • System Location Discovery (T1614): Retrieves user locale information via API calls.
  • File and Directory Discovery (T1083): Enumerates files using native Windows API calls.
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): Sends exfiltrated data over HTTP POST requests.

Indicator of Compromise :

  • No IoCs Found

Full Story: https://www.attackiq.com/2025/04/17/emulating-strelastealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint