Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV
Key Takeaways
- The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it.
- This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics.
- Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools.
- The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk.
- The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain.
- Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords.
- In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems.
Executive Summary
Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”.
The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.“
In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products.
Technical Details:
The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails.
Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script.
The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code.
The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view.
Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload.
The code below demonstrates the use of XOR and other arithmetic operations for decryption.
The image below displays the decrypted MZ content.
The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022.
Here we compared the previous version of Sterla Stealer with the new one.
Campaign Identified in 2022 | Campaign Identified in March 2024 | Latest Campaign |
No code obfuscation | Employed control flow obfuscation | Employed control flow obfuscation |
No decryption of PE file from DLL file | Decrypts a memory mapped PE file | Decrypts a memory mapped PE file |
strela, server.php, key4.db, and login.json strings present in the decrypted PE file | strela, server.php, key4.db, and login.json strings present in the decrypted PE file | Strela string is removed |
PDB path is present | No PDB path | No PDB path |
Export function name: Strela | Export function name: hello | Export function name: Entry |
Drops payload from ISO | Drops payload from ZIP | Executes payload from WebDAV Server |
While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below.
Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below.
- 0407 – German (Germany)
- 0C0A – Spanish (Spain)
- 042D – Basque (Spain)
If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain.
Targeting Thunderbird
The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received.
Targeting Outlook
To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths:
- Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
- Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server.
Gathering System Information
Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique.
In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below.
In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure.
Conclusion
The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats.
Cyble’s Threat Hunting Packages
At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware.
In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics.
For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today.
Recommendations
- Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
- Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
- Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
- Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
- Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
- Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft.
MITRE ATT&CK® Techniques
Tactic | Technique | Procedure |
Initial Access (TA0001) | Phishing (T1566) | The campaign starts with spear-phishing emails containing ZIP file attachments. |
Execution (TA0002) | User Execution (T1203) | The obfuscated JavaScript code executes via WScript, running PowerShell commands. |
Execution (TA0002) | Command and Scripting Interpreter (T1059) | PowerShell commands are triggered to execute the final payload. |
Credential Access (TA0006) | Credential Dumping (T1003) | The malware retrieves usernames and passwords from Thunderbird and Outlook profiles. |
Discovery (TA0007) | System Information Discovery (T1082) | Executes systeminfo to gather system details and save it as a text file. |
Discovery (TA0007) | File and Directory Discovery (T1083) | Collects filenames from system directories using COM objects. |
Command and Control (TA0011) | Application Layer Protocol (T1071) | The encrypted data is sent to the C&C server via HTTP POST requests. |
Exfiltration (TA0010) | Exfiltration Over Command and Control Channel (T1041) | The stolen data, including login credentials, is exfiltrated to the TA’s server. |
Indicators Of Compromise
Indicators | Indicator Type | Description |
dcd7dd2aaef3e87b467ce4e4682a63d2d01da20e31fada494435ae8a921c09ae | SHA256 | |
75d996a0a5262bff134d7a752efd1fb6325bc2ce347b084967e06725008180f9 | SHA256 | |
c5279ff9c215afbd5c54793c6fc36c80d2cefb0342a1471581b15e43bd4a9b08 | SHA256 | |
be76ab2054ef174331abfef53825254ac26bfc9657dca9c3767a5e5daf7bec1e | SHA256 | |
4e38abd0fef9a4b3f4cbc674601bc10766d4db588cb83d3e5fb50ec573c372cd | SHA256 | |
08007bc4c3711990eddd7cb342d176f470298027d923589206e4c9212cc95ba3 | SHA256 | JavaScript |
12cd832efcd3e3a6938ca5d445f572731b64866afc0129219d8110030aa22242 | SHA256 | JavaScript |
150f490ae97098342e192a6722872e86d468cbd2fd8b3d6c46f4601acdea85d1 | SHA256 | JavaScript |
154daf225df559d44d066027a5179aa68ebd9ce046787faa84bd3c230ad3fd08 | SHA256 | JavaScript |
16ae254deaa02b0acf5beda73cb178eb5c50e50b8d1752841ae8148b28354585 | SHA256 | JavaScript |
1a60dd873e71c926ede3bc395e45e10062f063a374f05e7ff6721b6e35706ec5 | SHA256 | JavaScript |
1f3b7fb2ec7e3f292a9d5fab2e263c777c4273af872673d324d580387a5f3236 | SHA256 | JavaScript |
22d34569742fc22c109f65a2edc8ef264c44f61e20014ac27160931acfba296c | SHA256 | JavaScript |
294c66460c3b0da83a3ed894bd1fb8a7fc5fed2b8fb3f6adb555d4b558371f00 | SHA256 | JavaScript |
2c447b38bc71b6b68234e3f7ea389807a9d61597aab5a11cc60133ee01fb7b79 | SHA256 | JavaScript |
3078f89fa189af1fc8d9b76ab03e2ae34de080072057d5630f8d829c18e0b29b | SHA256 | JavaScript |
32b8f94f5f7f359a3ef758a8de8ed554c7e5dec2b75f9a65461167eaa874cd00 | SHA256 | JavaScript |
34e9df65677f7e89fd3514103d9a75f7fb526485f1c8fa3bf82fe8896991683a | SHA256 | JavaScript |
34fdf466af7288f0b458daaca9eb76be88e182ae1b2eadb3281371c2d6726bc3 | SHA256 | JavaScript |
36a0751216fc7f90559abb10dcec2c1153e70c9d4da4d06a0a206ec2e726b92f | SHA256 | JavaScript |
37984a476fdeda094cdb82957a5aa0d2835527c4f403775d5e0182c64cb1a7fb | SHA256 | JavaScript |
3c09514e197004d822fd26798372cd7dc30ddcc7fe5585a8a13475319f57e7de | SHA256 | JavaScript |
3fe89e89556c0210bfb5094a524b1f81c87cde6b6bb2320abbe61d68ac6c4a4b | SHA256 | JavaScript |
404341b290e56b21c74d5768a98580813f5e81a5ef2e97e1af7aec6cb2a719b0 | SHA256 | JavaScript |
4781f4c8a8a43b559d1c1452e0e967cd23f7fd3d41a1065e5a3ec3366e3bf496 | SHA256 | JavaScript |
4a2317a78749539a8bf0d1e134bd68f64a5e956dee9a12157028969949bb29c4 | SHA256 | JavaScript |
4eaf2d0023d9531ee9e0d3958014260d95b817af5e74b9c6819f371a1a5af753 | SHA256 | JavaScript |
50c9bd0f5deca0b2edbc4128aa7895ec0268a246e536110efe81e3a3da696b0c | SHA256 | JavaScript |
540492ee7e2e3a0036bc34ff47519a17ad6a8300319b1ff9a1d1a210333cb46d | SHA256 | JavaScript |
58b0ae24a7f325b8c3acd001b4bdff35fc7e440a0bb910750e019a2657de0822 | SHA256 | JavaScript |
59894ed00aaa9f8ab743ea09a1c7add38b7bf378b073aea978fb1703ea9aacdd | SHA256 | JavaScript |
59c8dcd99af398b149bfd80b921e1b06f97e8cc6908d806b174341efb899d647 | SHA256 | JavaScript |
5a3633e0aad62b5ca063e3ffb15a2bbcdf7138f82113299b53f8194525cb32a3 | SHA256 | JavaScript |
5b296616d0cd44147e84e638dffed68d07b305bcee60601147bf41cb01e8c038 | SHA256 | JavaScript |
5c3a86bd9fb12cad7a98041d1ff35ac739b41a9e43abc525c4e96d61be6f9565 | SHA256 | JavaScript |
6044ea92d233b14cc6422e1cea8ee7ea8e241812f3e780f57f096101e5917f8a | SHA256 | JavaScript |
662a2a870928dc42d9cd04dbbb7a948300c98496bf4f68aa7ce1320d93da3180 | SHA256 | JavaScript |
666060f975e34e610bea2a3e2a6c8bad58506bee6acfbaefd2c02e563736351f | SHA256 | JavaScript |
67e95381a8d220063ea1a44e75bc9c9c2e0d973fb991c0ce92a798a1bfe23c1d | SHA256 | JavaScript |
680ea9c726dbfb5b8486ef5b5babb63704f32b4e3e949053b13a344440fe5149 | SHA256 | JavaScript |
68ffebea33905d680c382b4df481c564817044cf41345f41166cfaca106abfee | SHA256 | JavaScript |
6cb21cba9555eec2a173719188ffa609f3f99b6f615ada694db3e2de7fa4d9fe | SHA256 | JavaScript |
70f500e1941ce7f0ae0d4c12c44f3e265c701c1169193a55e5f842c093f303cc | SHA256 | JavaScript |
72c9297608f3ccb059aec33126178e40bd343c3c24b14a8a31a7742757a08a00 | SHA256 | JavaScript |
760c12ae673ae8902dfa096c17bbce7fc3e20eec069b7cc00d6bf1dd4a28757b | SHA256 | JavaScript |
76972fe36498d115bbcb742d842698fea1ebc062d0f79426dfbcaf4ad8bec0bd | SHA256 | JavaScript |
78c315657a6dd2d6ca01388aa3575344b689cbd18c172d83fe94399156b8010b | SHA256 | JavaScript |
7fcf23ad9d241ccd8f46a9a65bdd99741bade2bf323599f5639ebf160d35aa1e | SHA256 | JavaScript |
8502cf3b180e3ee6e526b5b33e17647d7234773c278d9009a6ae58a01fd96b97 | SHA256 | JavaScript |
8661d72b99ae335b6c0c74e2d2f156f8611666fe7f118ae251e224c8602f72f2 | SHA256 | JavaScript |
8ba18307df322c7c930dc19ff5f3a36b6a9040cc0dd05e65c1a434887a407b70 | SHA256 | JavaScript |
9082620184a4fe05ed92a0e88caea02cfec14d4c6494dc55269d8afade95d352 | SHA256 | JavaScript |
9255e44bcf40afa3c3fbd19f13a1d277c3bd7bd457866e904b220779fadce886 | SHA256 | JavaScript |
93fc8a04b28af9feb86c348c9b3a7d8422729697832e6895f8738b663da32905 | SHA256 | JavaScript |
9a9303997fefb2de0a66db9652d53bce7d17b9a1e8e738ee91801a29f72621d6 | SHA256 | JavaScript |
9aefb3b5e3a0727c6d96b103c432acb57c42294373bbd8d984a8aeb94659cd43 | SHA256 | JavaScript |
9eb4a88bc7ba156af849fcd956744c65677372db5e5cb09115df8ec900928cbb | SHA256 | JavaScript |
9fc8d64d8204045764d0990647d42cb386c98501199553d043c277133549193a | SHA256 | JavaScript |
a09688c0ce051235e92bb938090eebedea57c706158e0b665edce17d8dbe7543 | SHA256 | JavaScript |
a0def4009d3d6444b05f8d4071a65fbba6b6b36176104fc1fbb04affd0282969 | SHA256 | JavaScript |
a21f6c960cb3a702a9cf1da645301688b98763a8d1a4269a6b010616477e742f | SHA256 | JavaScript |
a76fc70044c88c9313da07e3afa039640373c639ac16ae85ddef201fa5995ce3 | SHA256 | JavaScript |
a77cd7dcea434bea2ce6dbc1af32668007c0fc5168a325c0c9df8f976d47ae0c | SHA256 | JavaScript |
b0f2cff2784b1779a9688a3cd43436d272683554b356d2a6f75903e40ce680ed | SHA256 | JavaScript |
b2efbb7368a89a746f5f1aea8e3df16cb017b4f79e0a6c3c1aaf51a7437cdd1b | SHA256 | JavaScript |
b5f9dff76d3cdf16ad8c95e699a4dd347e2bf987d7b9a4601b4bb6b7505a560f | SHA256 | JavaScript |
c1503c63332d723bc67acdc8de2fbaffb92b11de8174030eaf863d7ed152f947 | SHA256 | JavaScript |
c55f10a2633aa6c7f5e246cee23ed04e73896f88a042c070a6c66698dc8b1f3e | SHA256 | JavaScript |
ca3a8107b0c1ecf1a9f258e5b155a652e81710a2fa910bfd5ed31305a10ed06f | SHA256 | JavaScript |
ca6446b428305c1845b87a4562c4ef24d99e5929a2a65101689ca473b0bbec43 | SHA256 | JavaScript |
d3b78c9fdf7df019c14a21c18f4ca27c4210f31191ba5f35de358373b4077d43 | SHA256 | JavaScript |
d40dbeaf32abed1610e11408953ddddad985cea279b86c31a27b841519112bfb | SHA256 | JavaScript |
e2fa1484fa6cccfdae5838e59f4516017c3cd15e4872db0e459c43c8c8076882 | SHA256 | JavaScript |
ea090dccb35324c998ac5c2e3e499ed4c3812372cd6936777a9b4d10f8329c65 | SHA256 | JavaScript |
ee5cee0d57239e192cde8a52398172b515148969e4f6fc4bcf89de24aedafd4b | SHA256 | JavaScript |
f2708c2b771610ecda87d43c409a943fc4df6cdb090737ea47017f5ea4fc6a85 | SHA256 | JavaScript |
f68522b21d226a9d7ab91105e4412ea3ad836801e090e1e6dce766def233c607 | SHA256 | JavaScript |
f85dbbb00236db3abcc3383f2708fa4f53f5a464a62c4338391f513f49ea8b76 | SHA256 | JavaScript |
fc9617a69ee597606fbc68a5280819e48c9679b1d44d09f86cb4b62b68835209 | SHA256 | JavaScript |
fd407ac4d456c2196b128587347d85856989faec188334a8fbc4469f4b4e6ef2 | SHA256 | JavaScript |
fed183856e7f09bb9f73d8c9d57bd3573ec846da1a49dc1eeb295c845007f5a2 | SHA256 | JavaScript |
ffdf20ae5a3124a69711eb46b11b01bed6cffb66aef711732f96ddb4546cb635 | SHA256 | JavaScript |
ffe0ff011712afeb8ebc70e09bb455cc6fdd36c8d3b31004d25dc1cd8cc74b8f | SHA256 | JavaScript |
04f2cd6ddf9faef579d303c5efd2fc65b9997e05c3f75ea9b0cfc474f5e9019a | SHA256 | Strela Stealer |
13d96ed827887f6c31d907a5ee29441e2afd95be683e51e874cf5ad8207c1a98 | SHA256 | Strela Stealer |
1970d38e7fa45a46e792372a19d890541c87d1007ddedd53858b6df6728d72ff | SHA256 | Strela Stealer |
dbd301f710d45acdd639cda5cd47a5453b9abb8a361ed250bfc47de70318fec6 | SHA256 | Strela Stealer |
13531bd403e5f8f607bf16144c38ffd94004eafa8e6a098628b915de07ba432b | SHA256 | Strela Stealer |
080caffde331496a46e8cb35acd107ed113046b46310747a2dd15a62efab23b5 | SHA256 | Strela Stealer |
bd26724bdc8c5d9cb65d361231048725fbc31072d4c457c23531bc4333460011 | SHA256 | Strela Stealer |
77836c0b18bbfef70fd04ba674ea045bf109851efe76ae9bcc55c2dcd08cc3c5 | SHA256 | Strela Stealer |
03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311 | SHA256 | Strela Stealer |
cd39bec789b79d9ea6a642ab2ddc93121f5596de21e3b13c335ceaddb83f2083 | SHA256 | Strela Stealer |
b9ae263904d3a5fb8471a0f8ab95fcbb224f632e6185e3a110e8d5aed9785420 | SHA256 | Strela Stealer |
vaultdocker[.]com | Domain | Malicious |
cloudslimit[.]com | Domain | Malicious |
dailywebstats[.]com | Domain | Malicious |
endpointexperiment[.]com | Domain | Malicious |
apitestlabs[.]com | Domain | Malicious |
94[.]159[.]113[.]48 | IP | Malicious |
References
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
https://unit42.paloaltonetworks.com/strelastealer-campaign/
The post Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV appeared first on Cyble.
React to this headline: