Threat Research

Updated StrelaStealer Targeting European Countries | SonicWall

Securonix

An updated StrelaStealer variant was observed by SonicWall, delivered via JavaScript email attachments and targeting European countries while focusing on stealing credentials from Outlook and Thunderbird. The malware uses obfuscation and anti-analysis techniques, loads a payload through a 64-bit loader, and exfiltrates data to a hardcoded server using encrypted communications.
#StrelaStealer #SonicWall

Keypoints

  • New StrelaStealer variant targets European countries and employs enhanced obfuscation and anti-analysis techniques.
  • Delivery occurs via JavaScript in email attachments, dropping a 64-bit executable that acts as a loader for the actual payload.
  • The payload is decrypted in memory with a single-byte XOR, using an embedded encryption key to reveal the encrypted PE for execution.
  • The loader dynamically resolves Windows APIs (e.g., VirtualAlloc, LoadLibraryA, GetProcAddress) and maps the payload into memory before execution.
  • Stolen data includes Thunderbird credentials (logins.json, key4.db) and Outlook data from registry keys, exfiltrated to a server via HTTP POST after XOR encryption.
  • Observed IOCs include multiple file hashes, a hardcoded server IP (45.9.74.12) and server URL, as well as specific registry paths and files involved in credential theft.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The initial vector is JavaScript which will drop the 64-bit executable file in the %userprofile% folder and execute the malware process. [‘This updated version of malware delivered via JavaScript comes in archive files as attachments in emails. The initial vector is JavaScript…’]
  • [T1059.007] Command and Scripting Interpreter – JavaScript used as the delivery mechanism for the loader. [‘The initial vector is JavaScript which will drop the 64-bit executable file in the %userprofile% folder and execute the malware process.’]
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses heavy obfuscation and anti-analysis to delay execution. [‘This obfuscation is quite effective. Anti-analysis techniques delay the execution…’]
  • [T1055] Process Injection – The loader maps the payload into memory, resolves APIs dynamically, and transfers execution to the injected code. [‘The injected payload is 64-bit executable file… The malware parses the PE file structure… and copies each section of data to this offset in memory.’]
  • [T1059.001] System Binary Proxy Execution (or T1059 family) – The loader resolves kernel32.dll exports to obtain VirtualAlloc and other APIs before loading the payload. [‘It resolves the API dynamically… and reads the export table.’]
  • [T1012] Registry – The malware enumerates Windows registry keys to locate Outlook data (IMAP settings). [‘The following registry key is enumerated to steal data from Outlook…’]
  • [T1555.003] Credentials from Password Stores – Thunderbird/Outlook credential theft by locating logins.json and key4.db and exfiltrating them. [‘Finds logins.json and key4.db; reads the data and exfiltrates…’]
  • [T1041] Exfiltration Over C2 Channel – Data is sent to a hardcoded server via HTTP POST after XOR encryption. [‘establishes a connection to its server and prepares an HTTP post request… exfiltrates this data to its server.’]
  • [T1562.001] Impair Defenses or [Defense Evasion] – Various anti-analysis and dummy functions used to thwart analysis. [‘Anti-analysis techniques delay the execution…’]

Indicators of Compromise

  • [File Hash] Archive file – MD5: ca4797bf995c91864c8b290ebd4e1c7b, SHA256: 74f21472fed71aaccbd60b34615a8390725cbab6cb25bbc6a51bd723ff8bd01a (and 2 more hashes)
  • [File Hash] JavaScript (Initial vector) – MD5: C235CE3765F9B1606BDA81E96B71C23B, SHA256: E083662C896C47064FD47411D47459BF4B1CB26847B5D26AEDD7F9D701CABD43
  • [File Hash] Main 64-bit executable file – MD5: 1E37C3902284DD865C20220A9EF8B6A9, SHA256: F2D7CF39392D394D6CCD0F9372DB7D486D4CB2BB6C3BBFD0D8BFBB6117A5E211
  • [File Hash] Injected 64-bit Payload – MD5: 95F51B48FB079ED4E5F3499D45B7F14E, SHA256: C02BB26582576261645271763A17DE925C2D90D430E723204BAEC82030DC889A
  • [IP Address] Server IP – 45.9.74.12
  • [URL] Server URL – http://45.9.74.12/server.php
  • [Path] Thunderbird profile search path – C:UsersAppDataRoamingThunderbirdProfiles
  • [File] logins.json and key4.db – Thunderbird credential stores
  • [Registry] Outlook registry key – SOFTWAREMicrosoftOffice16.0OutlookProfilesOutlook
  • [Mutex] Mutex for single-instance execution – Mutex created from partially encrypted computer name using key MIR24

Read more: https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint