A recent large-scale StrelaStealer malware campaign has struck over a hundred organizations spanning the United States and Europe, focusing on pilfering email account credentials.
First observed in November 2022, StrelaStealer emerged as a new strain of malware designed to steal email credentials from Outlook and Thunderbird accounts. It employed a polyglot file infection technique to slip past security software undetected.
Initially, the malware predominantly targeted Spanish-speaking users. However, a recent report from Palo Alto Networks’ Unit42 reveals a shift in its focus toward American and European users.
StrelaStealer spreads through phishing campaigns, which experienced a significant surge in November 2023, sometimes targeting over 250 organizations in the U.S. This trend persisted into 2024, with a notable spike in activity observed by Unit42 analysts between late January and early February of that year.
During this period, the number of attacks in the U.S. soared past 500 on some days, with at least 100 confirmed compromises in both the U.S. and Europe.
Malicious actors behind StrelaStealer adapted their tactics using English and other European languages to tailor their attacks.
The targeted entities primarily operate in the high-tech sector, with additional targets in finance, legal services, manufacturing, government, utilities and energy, insurance, and construction.
Since late 2022, StrelaStealer has evolved its infection methods. While it relies on malicious emails as its primary vector, the latest approach involves ZIP attachments that drop JScript files onto victims’ systems. Upon execution, these scripts deploy a batch file and a base64-encoded file that decodes into a DLL, which is then executed via rundll32.exe to deliver the StrelaStealer payload.
Moreover, the latest malware version employs control flow obfuscation and removes PDB strings to complicate analysis and evade detection.
Despite these changes, StrelaStealer’s core objective remains unchanged: stealing and transmitting email login credentials to the attackers’ command and control (C2) server.
Given the prevalence of such threats, Chief Information Officers (CIOs) should prioritize awareness and vigilance among users. Employees should exercise caution when handling unsolicited emails, particularly those related to payments or invoices, and avoid downloading attachments from unknown sources.