StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024

Stolen credentials are basically the most fresh manner for hackers to find trusty of entry to an organization, basically based totally totally on the 2023 DBIR document. As an analyst for CyOps, Cynet’s crew of consultants to visual show unit possibility actor activities and give protection to Cynet purchasers, I’ve viewed how cybercriminals pilfer usernames and passwords, then ruthlessly leverage those lifted logins to wreak havoc not astray organizations.

The ruin is also in particular disastrous for small-to-medium enterprises (SMEs) that lack the colossal budgets and sprawling security teams to acknowledge all of sudden to a breach. As a consequence of this fact, it’s necessary for SME I.T. security leaders to make certain that their organizations are accumulate via reasonable measures to lower their publicity to compromise.

For a deeper technical dive into the mechanics and mitigations of credential stealing, plus hackers’ different popular functions of entry, I highly help you to peep “Securing the Top 3 SME Assault Vectors.”

Now, in this fraction, we’ll dissect a timely example of credential theft—StrelaStealer—to title the malware’s characteristics and capabilities and the detections and preventions fundamental to dam it from affecting your group.Â

StrelaStealer’s New Tricks

A gigantic StrelaStealer campaign recently rocked hundreds of US- and EU-basically based totally totally companies. StrelaStealer, as its title suggests, is a stealer. Its scheme is to swipe e mail login credentials from sufferer machines, focusing basically on Thunderbird and Outlook e mail accounts.

When StrelaStealer used to be first seen in early November 2022, it used to be dispensed as an ISO file that contained a .LNK file which both aspect-loaded the stealer’s DLL payload or, via a more sophisticated manner, performed the payload as a DLL/HTML polyglot. 

That distribution manner has evolved. In this most most standard campaign, we sight StrelaStealer delivered by phishing emails in various languages, reckoning on what their scheme speaks.

Here, in this phishing e mail, we can sight how customers are lured into opening a zip file attachment purporting to encompass a PDF invoice:

A screenshot of a computer  Description automatically generated
StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024 49

The zip file in actuality contains a JavaScript file named “18262829011200.js”:

A screenshot of a computer  Description automatically generated
StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024 50

Now, by performing static and dynamic analyses, we can assess that file and perceive its functionality and capabilities.

Static Diagnosis

First up, static prognosis. StrelaStealer’s provide code is also parsed for indicators of means security factors.

Reviewing the file in a textual negate material editor unearths various thrilling commands:

  1. The next commands opinion love an obfuscated script, replacing characters with variable names:
    A screenshot of a computer  Description automatically generated

De-obfuscating the code, we can sight that it contains various commands the usage of native Home windows purposes to web and in the break jog a DLL file named “returnready.dll”:

A screenshot of a computer  Description automatically generated

  1. Further strings present more obfuscated code, the usage of the equivalent manner of surroundings characters as variables:
    A show shot of a computer show  Description automatically generated

Once decoded, we can sight how wscript’s ‘shell’ manner is mature to enact cmd.exe and web the file “trousersperpetual.bat” in the %temp% directory:

A show shot of a computer code  Description automatically generated

  1. At final, an awfully colossal base64 encoded string used to be seen in the file:
    A inexperienced textual negate material on a white background  Description automatically generated

Decoding the string, we can sight that it is a portable executable (PE) file:

A screenshot of a computer  Description automatically generated

Dynamic AnalysisÂ

Next, dynamic prognosis. StrelaStealer is also jog in a controlled ambiance to expose its attack scuttle in conjunction with the accelerate step-by-step.

Upon execution of the file “18262829011200.js” by wscript.exe, cmd.exe is mature to web a reproduction of the .js file’s contents, which is then saved on the host as the file “C:Users*AppDataLocalTemptrousersperpetual.bat”:

A screenshot of a computer  Description automatically generated

Cmd.exe continues by working “findstr” on the file “C:Users*AppDataLocalTemptrousersperpetual.bat”, shopping for all strings that create not have the notice “marrywise” and saving the result to the file “C:Users*AppDataLocalTempmagnificentdevelopment”.

TSZNtx1B5ZWWjxNH oPVmFyTtuLMw5kCcES24qOb7wYKl y75Xbg lrpJS3UafNULMj4 GW0wo7Pd uNusX KwQ4PNxs38kRtftboMuWHDY1MalBKrXSY3YLeU0JfQ3Bv

This file finally ends up containing the colossal base64 string present in our static prognosis:

A screenshot of a computer  Description automatically generated
StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024 51

Then certutil.exe is invoked to decode the newly created base64 encoded file “magnificentdevelopment” into the file “C:Users*AppDataLocalTempreturnready.dll”.

6hFRd5YX4ELOhXqN8 mgUYXJI L4p9rx4g76q4ks5ZX6OcydTncT04b6ccQGnLmakbPF4JGWet4Hcvow4lJ5oiJ qUOHSEA VsmzeeIVCgtFwtOl DLZ5Fa4v2KEQ t93mTuPQyBQhshGI 03BD2m3MWkMoCMpCb

Here’s in fact StrelaStealer’s payload file:

A screenshot of a computer  Description automatically generated
StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024 52

The file “returnready.dll” is then performed by rundll32.exe, which proceeds to enumerate the host’s Outlook and Thunderbird e mail yarn recordsdata, sooner than exfiltrating it to the possibility actor’s sigh and again watch over (C2) server. 

A screenshot of a computer  Description automatically generated
StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024 53

MITRE ATT&CK Ways & Ways

Preliminary Access Execution Defense Evasion  Collection Pronounce and Beget watch over Exfiltration
Phishing  Pronounce and Scripting Interpreter Deobfuscate/Decode Files or Files Electronic mail Collection Application Layer Protocol Computerized Exfiltration
Individual Execution Obfuscated Files or Files Exfiltration Over C2 Channel
System Binary Proxy Execution

Learn how to detect StrelaStealer

With an determining of StrelaStealer’s characteristics and capabilities, cybersecurithttps://scuttle.cynet.com/high-3-sme-attack-vectors?utm_source=gbhackers&utm_medium=sponsored_article&utm_campaign=Q2-sponsored-webinarsy teams is also sure their protections are able to dam the stealer from compromising their group.

On yarn of Cynet is smartly able to detect and prevent StrelaStealer, we’ll configure the all-in-one cybersecurity solution in detection mode (with out prevention) to enable StrelaStealer to enact its fat scuttle in conjunction with the accelerate. This simulated execution lets Cynet detect and log every step of the attack, whereas highlighting how StrelaStealer triggers two specific Cynet detections.

1. File Dumped on the Disk

Cynet’s AV/AI engine detects that malicious recordsdata were dumped on the disk or are making an attempt to jog:


A screenshot of a computer  Description automatically generated
A screenshot of a computer  Description automatically generated
A screenshot of a computer  Description automatically generated

Project Monitoring

Cynet’s Project Monitoring mechanism detects the divulge of Certutil.exe to decode the malicious DLL file:

A screenshot of a computer  Description automatically generated

For further guidance to safeguard your SME, don’t miss “Securing the Top 3 SME Attack Vectors.” And make sure your team is empowered by an affordable, easy to use solution, such as Cynet’s all-in-one cybersecurity platform, which is purpose-built for small teams. After all, the future of your organization is too important to gamble.