Threat Research

Strela Stealer: Today’s Invoice Could Be Tomorrow’s Phishing Scam

Securonix

IBM X-Force observed Hive0145 running ongoing phishing campaigns delivering Strela Stealer across Europe, increasingly focusing on Spain, Germany, and more recently Ukraine. The emails pose as invoice notifications and use weaponized attachments to harvest credentials from Microsoft Outlook and Mozilla Thunderbird. #Hive0145 #StrelaStealer

Keypoints

  • Hive0145 operates as an initial access broker deploying Strela Stealer to compromise European targets.
  • Phishing messages are crafted as invoice notifications and include weaponized attachments to initiate infections.
  • Strela Stealer specifically targets credentials stored in Microsoft Outlook and Mozilla Thunderbird.
  • Since July 2024 the group has leveraged stolen emails to amplify the spread of Strela Stealer.
  • Campaign volume rose through 2024, reaching weekly activity levels by October.
  • By November 2024 campaigns expanded to include targets in Ukraine, and IBM X-Force assesses Hive0145 as likely the sole operator of Strela Stealer.

MITRE Techniques

  • [T1078] Initial Access – Uses stolen email credentials to access victim accounts (‘Utilizes stolen email credentials to gain access to victim accounts.’)
  • [T1003] Credential Dumping – Extracts stored credentials from email clients (‘Extracts user credentials from Microsoft Outlook and Mozilla Thunderbird.’)
  • [T1566] Phishing – Delivers malware through deceptive invoice emails (‘Distributes malware via phishing emails disguised as legitimate invoices.’)
  • [T1210] Exploitation of Remote Services – Leverages weaponized attachments to exploit vulnerabilities in email clients (‘Uses weaponized attachments to exploit vulnerabilities in email clients.’)
  • [T1071] Command and Control – Communicates with compromised hosts to exfiltrate stolen data (‘Communicates with compromised systems to exfiltrate stolen data.’)

Indicators of Compromise

  • No IoCs Found

Hive0145’s campaign activity, as detailed by IBM X-Force, shows a deliberate and evolving approach to email-based intrusion. Attackers craft invoice-styled messages with weaponized attachments that exploit vulnerabilities in email clients to deliver Strela Stealer, which then extracts credentials from widely used mail applications.

The group increased its operational tempo through 2024: starting to leverage stolen emails in July and moving to weekly distribution cadence by October, before expanding targeting to Ukraine in November. These shifts suggest active testing and refinement of their infection chain over an 18-month period.

Because Strela Stealer appears consistently connected to Hive0145’s infrastructure and tactics, IBM X-Force assesses the actor as likely the sole operator behind this stealer, posing an elevated risk to organizations and individuals in the affected regions.

Read more: https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/ – get from article

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint