Large-Scale StrelaStealer Email Campaigns Continue to Target Organizations in U.S. and EU
A recent surge of StrelaStealer malware attacks has affected over 100 organizations across the European Union and the United States. The malicious software is designed to steal email login data from popular email clients and send the information back to the attacker’s command and control (C2) server.
The threat actors behind StrelaStealer have been active since its emergence in 2022, launching multiple large-scale email campaigns to steal valuable information. These recent campaigns involve spam emails with attachments that deploy the StrelaStealer’s DLL payload.
To evade detection, the attackers constantly change the file formats of the email attachments, making it difficult for security analysts and products to detect and analyze the malware. The malware author also updates the DLL payload with better obfuscation and anti-analysis techniques, further complicating the identification process.
The StrelaStealer infection chain involves spreading through spear phishing emails with ZIP file attachments. Once downloaded by the user, a JScript file drops a Base64-encrypted file and a batch file on the system, leading to the creation of a PE DLL file. The DLL is then executed through a specific function using rundll32.exe, initiating the attack.
The threat actor has incorporated sophisticated control flow obfuscation techniques in the latest version of StrelaStealer, making it more challenging for security researchers to analyze the samples. The malware payload aims to steal sensitive data from email clients and send it to a predefined C2 server.
Palo Alto Networks offers protection and mitigation strategies through products like Cortex XDR with Advanced WildFire, Next-Generation Firewalls with cloud-delivered security services, and Prisma Cloud Defender agents. Customers can engage the Unit 42 Incident Response team for assistance in dealing with compromises or enhancing security measures.
The ongoing evolution of StrelaStealer underscores the importance of staying vigilant against evolving cyber threats and implementing robust cybersecurity measures to safeguard sensitive information.
