Strela Infostealer, malware, WebDAV

Key Takeaways

  • The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it.
  • This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics.
  • Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools.
  • The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk.
  • The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain.
  • Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords.
  • In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems.

Executive Summary

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”.

The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.

In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products.

Technical Details:

The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails.

Phishing, email
Figure 1 – Phishing Email

Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script.

The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code.

Javascript
Figure 2 – JavaScript File

The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view.

IDA
Figure 3 – IDA graph view

Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload.

DLL
Figure 4 – Key present in DLL file

The code below demonstrates the use of XOR and other arithmetic operations for decryption.

MZ Header
Figure 5 – Decrypting the MZ header

The image below displays the decrypted MZ content.

MZ header
Figure 6 – MZ Header

The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022.

Here we compared the previous version of Sterla Stealer with the new one.

Campaign Identified in 2022 Campaign Identified in March 2024 Latest Campaign
No code obfuscation Employed control flow obfuscation Employed control flow obfuscation
No decryption of PE file from DLL file Decrypts a memory mapped PE file Decrypts a memory mapped PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file strela, server.php, key4.db, and login.json strings present in the decrypted PE file Strela string is removed
PDB path is present No PDB path No PDB path
Export function name: Strela Export function name: hello Export function name: Entry
Drops payload from ISO Drops payload from ZIP Executes payload from WebDAV Server

While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below.

Error message
Figure 7 – Fake error message

Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below.

  • 0407 – German (Germany)
  • 0C0A – Spanish (Spain)
  • 042D – Basque (Spain)

If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain.

Locale Check
Figure 8 – Locale Check

Targeting Thunderbird

The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received.

Thunderbird
Figure 9 – Targeting Thunderbird profiles

Targeting Outlook

To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths:

  • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  • SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server.

Gathering System Information

Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique.

Systeminfo
Figure 10 – Gathering systeminfo

In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below.

Data Theft
Figure 11 – Data Exfiltration

In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure.

Conclusion

The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats.

Cyble’s Threat Hunting Packages

At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware.

In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics.

For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today.

Strela Stealer, Infostealer

Recommendations

  • Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
  • Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
  • Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
  • Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
  • Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
  • Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The campaign starts with spear-phishing emails containing ZIP file attachments.
Execution (TA0002) User Execution (T1203) The obfuscated JavaScript code executes via WScript, running PowerShell commands.
Execution (TA0002) Command and Scripting Interpreter (T1059) PowerShell commands are triggered to execute the final payload.
Credential Access (TA0006) Credential Dumping (T1003) The malware retrieves usernames and passwords from Thunderbird and Outlook profiles.
Discovery (TA0007) System Information Discovery (T1082) Executes systeminfo to gather system details and save it as a text file.
Discovery (TA0007) File and Directory Discovery (T1083) Collects filenames from system directories using COM objects.
Command and Control (TA0011) Application Layer Protocol (T1071) The encrypted data is sent to the C&C server via HTTP POST requests.
Exfiltration (TA0010) Exfiltration Over Command and Control Channel (T1041) The stolen data, including login credentials, is exfiltrated to the TA’s server.

Indicators Of Compromise

Indicators Indicator Type Description
dcd7dd2aaef3e87b467ce4e4682a63d2d01da20e31fada494435ae8a921c09ae SHA256 Email
75d996a0a5262bff134d7a752efd1fb6325bc2ce347b084967e06725008180f9 SHA256 Email
c5279ff9c215afbd5c54793c6fc36c80d2cefb0342a1471581b15e43bd4a9b08 SHA256 Email
be76ab2054ef174331abfef53825254ac26bfc9657dca9c3767a5e5daf7bec1e SHA256 Email
4e38abd0fef9a4b3f4cbc674601bc10766d4db588cb83d3e5fb50ec573c372cd SHA256 Email
08007bc4c3711990eddd7cb342d176f470298027d923589206e4c9212cc95ba3 SHA256 JavaScript
12cd832efcd3e3a6938ca5d445f572731b64866afc0129219d8110030aa22242 SHA256 JavaScript
150f490ae97098342e192a6722872e86d468cbd2fd8b3d6c46f4601acdea85d1 SHA256 JavaScript
154daf225df559d44d066027a5179aa68ebd9ce046787faa84bd3c230ad3fd08 SHA256 JavaScript
16ae254deaa02b0acf5beda73cb178eb5c50e50b8d1752841ae8148b28354585 SHA256 JavaScript
1a60dd873e71c926ede3bc395e45e10062f063a374f05e7ff6721b6e35706ec5 SHA256 JavaScript
1f3b7fb2ec7e3f292a9d5fab2e263c777c4273af872673d324d580387a5f3236 SHA256 JavaScript
22d34569742fc22c109f65a2edc8ef264c44f61e20014ac27160931acfba296c SHA256 JavaScript
294c66460c3b0da83a3ed894bd1fb8a7fc5fed2b8fb3f6adb555d4b558371f00 SHA256 JavaScript
2c447b38bc71b6b68234e3f7ea389807a9d61597aab5a11cc60133ee01fb7b79 SHA256 JavaScript
3078f89fa189af1fc8d9b76ab03e2ae34de080072057d5630f8d829c18e0b29b SHA256 JavaScript
32b8f94f5f7f359a3ef758a8de8ed554c7e5dec2b75f9a65461167eaa874cd00 SHA256 JavaScript
34e9df65677f7e89fd3514103d9a75f7fb526485f1c8fa3bf82fe8896991683a SHA256 JavaScript
34fdf466af7288f0b458daaca9eb76be88e182ae1b2eadb3281371c2d6726bc3 SHA256 JavaScript
36a0751216fc7f90559abb10dcec2c1153e70c9d4da4d06a0a206ec2e726b92f SHA256 JavaScript
37984a476fdeda094cdb82957a5aa0d2835527c4f403775d5e0182c64cb1a7fb SHA256 JavaScript
3c09514e197004d822fd26798372cd7dc30ddcc7fe5585a8a13475319f57e7de SHA256 JavaScript
3fe89e89556c0210bfb5094a524b1f81c87cde6b6bb2320abbe61d68ac6c4a4b SHA256 JavaScript
404341b290e56b21c74d5768a98580813f5e81a5ef2e97e1af7aec6cb2a719b0 SHA256 JavaScript
4781f4c8a8a43b559d1c1452e0e967cd23f7fd3d41a1065e5a3ec3366e3bf496 SHA256 JavaScript
4a2317a78749539a8bf0d1e134bd68f64a5e956dee9a12157028969949bb29c4 SHA256 JavaScript
4eaf2d0023d9531ee9e0d3958014260d95b817af5e74b9c6819f371a1a5af753 SHA256 JavaScript
50c9bd0f5deca0b2edbc4128aa7895ec0268a246e536110efe81e3a3da696b0c SHA256 JavaScript
540492ee7e2e3a0036bc34ff47519a17ad6a8300319b1ff9a1d1a210333cb46d SHA256 JavaScript
58b0ae24a7f325b8c3acd001b4bdff35fc7e440a0bb910750e019a2657de0822 SHA256 JavaScript
59894ed00aaa9f8ab743ea09a1c7add38b7bf378b073aea978fb1703ea9aacdd SHA256 JavaScript
59c8dcd99af398b149bfd80b921e1b06f97e8cc6908d806b174341efb899d647 SHA256 JavaScript
5a3633e0aad62b5ca063e3ffb15a2bbcdf7138f82113299b53f8194525cb32a3 SHA256 JavaScript
5b296616d0cd44147e84e638dffed68d07b305bcee60601147bf41cb01e8c038 SHA256 JavaScript
5c3a86bd9fb12cad7a98041d1ff35ac739b41a9e43abc525c4e96d61be6f9565 SHA256 JavaScript
6044ea92d233b14cc6422e1cea8ee7ea8e241812f3e780f57f096101e5917f8a SHA256 JavaScript
662a2a870928dc42d9cd04dbbb7a948300c98496bf4f68aa7ce1320d93da3180 SHA256 JavaScript
666060f975e34e610bea2a3e2a6c8bad58506bee6acfbaefd2c02e563736351f SHA256 JavaScript
67e95381a8d220063ea1a44e75bc9c9c2e0d973fb991c0ce92a798a1bfe23c1d SHA256 JavaScript
680ea9c726dbfb5b8486ef5b5babb63704f32b4e3e949053b13a344440fe5149 SHA256 JavaScript
68ffebea33905d680c382b4df481c564817044cf41345f41166cfaca106abfee SHA256 JavaScript
6cb21cba9555eec2a173719188ffa609f3f99b6f615ada694db3e2de7fa4d9fe SHA256 JavaScript
70f500e1941ce7f0ae0d4c12c44f3e265c701c1169193a55e5f842c093f303cc SHA256 JavaScript
72c9297608f3ccb059aec33126178e40bd343c3c24b14a8a31a7742757a08a00 SHA256 JavaScript
760c12ae673ae8902dfa096c17bbce7fc3e20eec069b7cc00d6bf1dd4a28757b SHA256 JavaScript
76972fe36498d115bbcb742d842698fea1ebc062d0f79426dfbcaf4ad8bec0bd SHA256 JavaScript
78c315657a6dd2d6ca01388aa3575344b689cbd18c172d83fe94399156b8010b SHA256 JavaScript
7fcf23ad9d241ccd8f46a9a65bdd99741bade2bf323599f5639ebf160d35aa1e SHA256 JavaScript
8502cf3b180e3ee6e526b5b33e17647d7234773c278d9009a6ae58a01fd96b97 SHA256 JavaScript
8661d72b99ae335b6c0c74e2d2f156f8611666fe7f118ae251e224c8602f72f2 SHA256 JavaScript
8ba18307df322c7c930dc19ff5f3a36b6a9040cc0dd05e65c1a434887a407b70 SHA256 JavaScript
9082620184a4fe05ed92a0e88caea02cfec14d4c6494dc55269d8afade95d352 SHA256 JavaScript
9255e44bcf40afa3c3fbd19f13a1d277c3bd7bd457866e904b220779fadce886 SHA256 JavaScript
93fc8a04b28af9feb86c348c9b3a7d8422729697832e6895f8738b663da32905 SHA256 JavaScript
9a9303997fefb2de0a66db9652d53bce7d17b9a1e8e738ee91801a29f72621d6 SHA256 JavaScript
9aefb3b5e3a0727c6d96b103c432acb57c42294373bbd8d984a8aeb94659cd43 SHA256 JavaScript
9eb4a88bc7ba156af849fcd956744c65677372db5e5cb09115df8ec900928cbb SHA256 JavaScript
9fc8d64d8204045764d0990647d42cb386c98501199553d043c277133549193a SHA256 JavaScript
a09688c0ce051235e92bb938090eebedea57c706158e0b665edce17d8dbe7543 SHA256 JavaScript
a0def4009d3d6444b05f8d4071a65fbba6b6b36176104fc1fbb04affd0282969 SHA256 JavaScript
a21f6c960cb3a702a9cf1da645301688b98763a8d1a4269a6b010616477e742f SHA256 JavaScript
a76fc70044c88c9313da07e3afa039640373c639ac16ae85ddef201fa5995ce3 SHA256 JavaScript
a77cd7dcea434bea2ce6dbc1af32668007c0fc5168a325c0c9df8f976d47ae0c SHA256 JavaScript
b0f2cff2784b1779a9688a3cd43436d272683554b356d2a6f75903e40ce680ed SHA256 JavaScript
b2efbb7368a89a746f5f1aea8e3df16cb017b4f79e0a6c3c1aaf51a7437cdd1b SHA256 JavaScript
b5f9dff76d3cdf16ad8c95e699a4dd347e2bf987d7b9a4601b4bb6b7505a560f SHA256 JavaScript
c1503c63332d723bc67acdc8de2fbaffb92b11de8174030eaf863d7ed152f947 SHA256 JavaScript
c55f10a2633aa6c7f5e246cee23ed04e73896f88a042c070a6c66698dc8b1f3e SHA256 JavaScript
ca3a8107b0c1ecf1a9f258e5b155a652e81710a2fa910bfd5ed31305a10ed06f SHA256 JavaScript
ca6446b428305c1845b87a4562c4ef24d99e5929a2a65101689ca473b0bbec43 SHA256 JavaScript
d3b78c9fdf7df019c14a21c18f4ca27c4210f31191ba5f35de358373b4077d43 SHA256 JavaScript
d40dbeaf32abed1610e11408953ddddad985cea279b86c31a27b841519112bfb SHA256 JavaScript
e2fa1484fa6cccfdae5838e59f4516017c3cd15e4872db0e459c43c8c8076882 SHA256 JavaScript
ea090dccb35324c998ac5c2e3e499ed4c3812372cd6936777a9b4d10f8329c65 SHA256 JavaScript
ee5cee0d57239e192cde8a52398172b515148969e4f6fc4bcf89de24aedafd4b SHA256 JavaScript
f2708c2b771610ecda87d43c409a943fc4df6cdb090737ea47017f5ea4fc6a85 SHA256 JavaScript
f68522b21d226a9d7ab91105e4412ea3ad836801e090e1e6dce766def233c607 SHA256 JavaScript
f85dbbb00236db3abcc3383f2708fa4f53f5a464a62c4338391f513f49ea8b76 SHA256 JavaScript
fc9617a69ee597606fbc68a5280819e48c9679b1d44d09f86cb4b62b68835209 SHA256 JavaScript
fd407ac4d456c2196b128587347d85856989faec188334a8fbc4469f4b4e6ef2 SHA256 JavaScript
fed183856e7f09bb9f73d8c9d57bd3573ec846da1a49dc1eeb295c845007f5a2 SHA256 JavaScript
ffdf20ae5a3124a69711eb46b11b01bed6cffb66aef711732f96ddb4546cb635 SHA256 JavaScript
ffe0ff011712afeb8ebc70e09bb455cc6fdd36c8d3b31004d25dc1cd8cc74b8f SHA256 JavaScript
04f2cd6ddf9faef579d303c5efd2fc65b9997e05c3f75ea9b0cfc474f5e9019a SHA256 Strela Stealer
13d96ed827887f6c31d907a5ee29441e2afd95be683e51e874cf5ad8207c1a98 SHA256 Strela Stealer
1970d38e7fa45a46e792372a19d890541c87d1007ddedd53858b6df6728d72ff SHA256 Strela Stealer
dbd301f710d45acdd639cda5cd47a5453b9abb8a361ed250bfc47de70318fec6 SHA256 Strela Stealer
13531bd403e5f8f607bf16144c38ffd94004eafa8e6a098628b915de07ba432b SHA256 Strela Stealer
080caffde331496a46e8cb35acd107ed113046b46310747a2dd15a62efab23b5 SHA256 Strela Stealer
bd26724bdc8c5d9cb65d361231048725fbc31072d4c457c23531bc4333460011 SHA256 Strela Stealer
77836c0b18bbfef70fd04ba674ea045bf109851efe76ae9bcc55c2dcd08cc3c5 SHA256 Strela Stealer
03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311 SHA256 Strela Stealer
cd39bec789b79d9ea6a642ab2ddc93121f5596de21e3b13c335ceaddb83f2083 SHA256 Strela Stealer
b9ae263904d3a5fb8471a0f8ab95fcbb224f632e6185e3a110e8d5aed9785420 SHA256 Strela Stealer
vaultdocker[.]com Domain Malicious
cloudslimit[.]com Domain Malicious
dailywebstats[.]com Domain Malicious
endpointexperiment[.]com Domain Malicious
apitestlabs[.]com Domain Malicious
94[.]159[.]113[.]48 IP Malicious

References

https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
https://unit42.paloaltonetworks.com/strelastealer-campaign/

The post Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV appeared first on Cyble.