Security experts have uncovered a novel Strela Stealer campaign, which leverages a new iteration of email credential-stealing malware. In this campaign, the updated malware version is enriched with enhanced functionality and is now capable of gathering system configuration data via the “system info” utility. Moreover, Strela Stealer expanded its targets beyond Spain, Italy, and Germany to set eyes on Ukraine.
Strela Stealer Attacks Detection
Every day, approximately 560,000 new pieces of malware are detected, according to Statista. This highlights the ever-growing attack surface, which poses a significant challenge for cybersecurity defenders. To outscale cyber threats and detect malicious attacks on time, cyber defenders can rely on SOC Prime Platform offering a complete product suite for advanced threat detection and hunting.
Addressing the latest Strela Stealer attacks, SOC Prime Platform offers a curated set of CTI-enriched detections. Hit Explore Detections below and immediately access relevant detection rules, mapped to the MITRE ATT&CK® framework and compatible with 30+ SIEM, EDR, and Data Lake technologies.
Security engineers can also leverage Uncoder AI to seamlessly pack IOCs and perform retrospective analysis of adversaries’ TTPs. Instantly convert IOCs from the corresponding research by SonicWall into tailored queries compatible with various SIEM, EDR, and Data Lake languages.
Strela Stealer Attack Analysis: New Campaign Against Ukraine
The SonicWall Capture Labs team has been tracking Strela Stealer malware, which remained active throughout 2024. In early November 2024, the malicious strain spread via phishing emails emerged in a discreet campaign targeting users in Central and Southwestern Europe. It leveraged obfuscated JavaScript and WebDAV to bypass traditional security defenses while continuously evolving and refining its offensive capabilities to remain undetected while stealthily exfiltrating sensitive data.
A novel Strela Stealer iteration has recently been identified with notable updates. The malware is now also expanding its reach beyond Spain, Italy, and Germany and targets Ukraine.
The infection flow begins with JavaScript sent in archived email attachments. When executed, it triggers a PowerShell script that runs a DLL from a shared network location via Regsvr32.exe, bypassing disk storage. This stealthy method ensures the malicious DLL is executed directly from the network location.
The 64-bit DLL in the latest Strela Stealer variant acts as a loader for its payload, with the encoded core stored in its data section. The malware decrypts the weaponized file via custom XOR. This upgraded Strela Stealer variant displays advanced obfuscation capabilities with junk code and numerous jump instructions, hindering anti-malware analysis.
The DLL decrypts the payload, resolves necessary imports, and executes it, with RCX pointing to the payload’s entry. Both the wrapper DLL and payload include similar obfuscation methods, which points to the most sophisticated updates in this novel variant.
The injected payload, serving as a 64-bit executable, uses the “GetKeyboardLayoutList” API to check installed keyboard layouts, terminating if no match is found. Originally aimed at stealing email credentials from Outlook and Thunderbird, the updated malware iteration now also gathers system configuration data using the “system info” utility. The output is then saved in a temp file, encrypted, and sent to the server via a POST request. Stolen data is exfiltrated after encryption, with the malware expecting an “OK” server response.
Strela Stealer’s growing threat is marked by advanced obfuscation techniques that enable it to operate without leaving traces on disk, making detection more challenging, along with its expansion to Ukraine beyond European regions, which demands increased cyber vigilance. SOC Prime Platform for collective cyber defense provides organizations with cutting-edge technologies to outscale cyber threats while strengthening defenses and building a robust cybersecurity posture.
The post Strela Stealer Attack Detection: New Malware Variant Now Targets Ukraine Alongside Spain, Italy, and Germany appeared first on SOC Prime.
