StrelaStealer’s Malware Resurgence: What Security Leaders Need to Know in 2024

Stolen credentials are the most common way for hackers to access an organization, according to the 2023 DBIR report. As an analyst for CyOps, Cynet’s team of experts to monitor threat actor activities and protect Cynet clients, I’ve seen how cybercriminals pilfer usernames and passwords, then ruthlessly leverage those lifted logins to wreak havoc on target organizations.

The damage can be especially disastrous for small-to-medium enterprises (SMEs) that lack the big budgets and sprawling security teams to respond rapidly to a breach. Therefore, it is crucial for SME I.T. security leaders to ensure that their organizations are secure through affordable measures to reduce their exposure to compromise.

For a deeper technical dive into the mechanics and mitigations of credential stealing, plus hackers’ other favorite points of entry, I highly encourage you to watch “Securing the Top 3 SME Attack Vectors.”

Now, in this piece, we’ll dissect a timely example of credential theft—StrelaStealer—to identify the malware’s characteristics and capabilities and the detections and preventions necessary to block it from affecting your organization. 

StrelaStealer’s New Tricks

A massive StrelaStealer campaign recently rocked hundreds of US- and EU-based companies. StrelaStealer, as its name suggests, is a stealer. Its goal is to swipe email login credentials from victim machines, focusing primarily on Thunderbird and Outlook email accounts.

When StrelaStealer was first observed in early November 2022, it was distributed as an ISO file that contained a .LNK file which either side-loaded the stealer’s DLL payload or, through a more sophisticated method, executed the payload as a DLL/HTML polyglot. 

That distribution method has evolved. In this most recent campaign, we see StrelaStealer delivered via phishing emails in several languages, depending on what their target speaks.

Here, in this phishing email, we can see how users are lured into opening a zip file attachment purporting to enclose a PDF invoice:

The zip file actually contains a JavaScript file named “18262829011200.js”:

Now, by performing static and dynamic analyses, we can assess that file and understand its functionality and capabilities.

Static Analysis

First up, static analysis. StrelaStealer’s source code can be parsed for signs of potential security issues.

Reviewing the file in a text editor reveals several exciting commands:

1. The following commands look like an obfuscated script, replacing characters with variable names:
   

De-obfuscating the code, we can see that it contains several commands using native Windows applications to create and ultimately run a DLL file named “returnready.dll”:

2. Additional strings show more obfuscated code, using the same method of setting characters as variables:
   

Once decoded, we can see how wscript’s ‘shell’ method is used to execute cmd.exe and create the file “trousersperpetual.bat” in the %temp% directory:

3. Finally, a very large base64 encoded string was observed in the file:
   

Decoding the string, we can see that it is a portable executable (PE) file:

Dynamic Analysis

Next, dynamic analysis. StrelaStealer can be run in a controlled environment to reveal its attack flow step-by-step.

Upon execution of the file “18262829011200.js” via wscript.exe, cmd.exe is used to create a copy of the .js file’s contents, which is then saved on the host as the file “C:\Users\*\AppData\Local\Temp\trousersperpetual.bat”:

Cmd.exe continues by running “findstr” on the file “C:\Users\*\AppData\Local\Temp\trousersperpetual.bat”, looking for all strings that do not contain the word “marrywise” and saving the result to the file “C:\Users\*\AppData\Local\Temp\magnificentdevelopment”.

This file ends up containing the large base64 string found in our static analysis:

Then certutil.exe is invoked to decode the newly created base64 encoded file “magnificentdevelopment” into the file “C:\Users\*\AppData\Local\Temp\returnready.dll”.

This is essentially StrelaStealer’s payload file:

The file “returnready.dll” is then executed via rundll32.exe, which proceeds to enumerate the host’s Outlook and Thunderbird email account data, before exfiltrating it to the threat actor’s command and control (C2) server. 

MITRE ATT&CK Tactics & Techniques

Initial Access	Execution	Defense Evasion	Collection	Command and Control	Exfiltration
Phishing	Command and Scripting Interpreter	Deobfuscate/Decode Files or Information	Email Collection	Application Layer Protocol	Automated Exfiltration
	User Execution	Obfuscated Files or Information			Exfiltration Over C2 Channel
		System Binary Proxy Execution

How to detect StrelaStealer

With an understanding of StrelaStealer’s characteristics and capabilities, cybersecurithttps://go.cynet.com/top-3-sme-attack-vectors?utm_source=gbhackers&utm_medium=sponsored_article&utm_campaign=Q2-sponsored-webinarsy teams can ensure their protections are able to block the stealer from compromising their organization.

Because Cynet is easily able to detect and prevent StrelaStealer, we’ll configure the all-in-one cybersecurity solution in detection mode (without prevention) to allow StrelaStealer to execute its full flow. This simulated execution lets Cynet detect and log each step of the attack, while highlighting how StrelaStealer triggers two specific Cynet detections.

1. File Dumped on the Disk

Cynet’s AV/AI engine detects that malicious files have been dumped on the disk or are attempting to run:

Process Monitoring

Cynet’s Process Monitoring mechanism detects the use of Certutil.exe to decode the malicious DLL file:

For further guidance to safeguard your SME, don’t miss “Securing the Top 3 SME Attack Vectors.” And make sure your team is empowered by an affordable, easy to use solution, such as Cynet’s all-in-one cybersecurity platform, which is purpose-built for small teams. After all, the future of your organization is too important to gamble.