Large-Scale StrelaStealer Campaign in Early 2024

Researchers observed a large-scale StrelaStealer campaign in early 2024 that delivers a DLL via ZIP-attached JScript which decodes a Base64 blob with certutil and executes the resulting PE through rundll32.exe. The DLL uses control-flow obfuscation, encrypts a memory-mapped payload (containing strings like “strela” and C2 details) and exfiltrates stolen email credentials to a C2 server. #StrelaStealer #PaloAltoNetworks

Keypoints

Spearphishing emails use ZIP attachments containing a JScript (new variant) instead of the previous ISO/.lnk delivery.
The JScript drops a Base64-encoded file and a batch file; the encoded blob is decoded with “certutil -f decode” into a PE DLL.
The DLL is written to %appdata%temp or C:temp (depending on privileges) and executed via rundll32.exe by calling an exported function (renamed to “hello”).
The payload uses control-flow obfuscation and excessively long arithmetic blocks to impede analysis and sandbox execution, and removed PDB strings to evade simple static signatures.
The decrypted payload is a memory-mapped PE that contains identifiers like “strela”, “server.php”, “key4.db”, and “login.json” and points to a C2 for exfiltration.
Stolen email credentials are exfiltrated to the actor’s C2 (observed IP 193.109.85.231) over web protocols; multiple SHA256 hashes for DLL/EML/ZIP/JS samples are published as IOCs.

MITRE Techniques

[T1566.001] Spearphishing Attachment – StrelaStealer is “spread through spear-phishing emails containing ZIP or ISO file attachments” and uses attached archives to drop malicious scripts.
[T1027] Obfuscated Files or Information – The payload “employs control flow obfuscation to render analysis more difficult.”
[T1140] Deobfuscate/Decode Files or Information – The JScript drops a Base64-encrypted file which is decoded using “certutil -f decode” to produce the DLL.
[T1050] Modify System Process – The DLL is executed via rundll32.exe by calling its exported function (renamed to “hello”) to blend with legitimate system activity.
[T1552.001] Unsecured Credentials: Credentials In Files – StrelaStealer aims to “steal email login data from well-known email clients and send it back to the attacker’s Command and Control (C2) server.”
[T1071.001] Application Layer Protocol: Web Protocols – The malware communicates with its C2 over HTTP/HTTPS to exfiltrate stolen data and receive commands.
[T1041] Exfiltration Over C2 Channel – Stolen email credentials are “sent back to the attacker’s C2 server” for further misuse.

Indicators of Compromise

[SHA256 hashes] Sample file hashes (mapped to filetype) – DLL: 0d2d0588a3a7cff3e69206be3d75401de6c69bcff30aa1db59d34ce58d5f799ae6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1, EML: f95c6817086dc49b6485093bfd370c5e3fc3056a5378d519fd1f5619b30f3a2e…, and 3 more hashes.
[File hashes by type] ZIP/JS example – ZIP: 3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4b, JS: 544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45.
[IP Address – C2] Command-and-control server – 193[.]109[.]85[.]231 (observed C2 used for exfiltration).
[File names in payload] Configuration/artefacts – key4.db, login.json (strings found in decrypted payload indicating credential storage/targets).

StrelaStealer’s current infection chain begins with spearphishing ZIP attachments that contain a JScript file; when executed, the script writes a Base64-encoded blob and a batch file to disk, then runs certutil -f decode to convert the blob into a Portable Executable (PE) DLL placed in %appdata%temp or C:temp depending on permissions. The DLL exposes a malicious export (renamed to “hello” in newer samples) which is invoked via rundll32.exe, launching the payload without dropping a typical EXE and helping the actor blend activity into legitimate system processes.

Internally, the DLL contains an encrypted payload and uses a configuration with a payload size and decryption key to decrypt a memory-mapped PE. The decrypted module contains strings such as “strela”, “server.php”, “key4.db”, and “login.json”, indicating credential harvesting behavior and configuration for C2 communication. The packer has evolved to include control-flow obfuscation—large arithmetic-heavy code blocks that increase analysis time and can cause sandbox timeouts—and earlier identifying markers like PDB strings have been removed to thwart static signatures.

Post-decryption behavior focuses on stealing email client credentials and exfiltrating them to an HTTP/HTTPS C2 channel (observed IP 193.109.85.231). The actor iterates on both the delivery (ISO -> LNK previously; ZIP -> JScript now) and payload obfuscation to evade detection, but the technical chain—decode via certutil, execute DLL with rundll32, decrypt memory-mapped PE, and exfiltrate credentials—remains consistent.