StrelaStealer Attacks Hit 100+ Organizations

In a recent report by Unit 42 researchers from Palo Alto Networks, a new series of phishing attacks aimed at disseminating malicious software named StrelaStealer has been identified. This threat has impacted over 100 organizations across the European Union and the United States.

The assaults are executed through spam messages with attachments that initiate the StrelaStealer DLL payload. To evade detection, the attackers periodically alter the file format of the attachment in the initial email.

StrelaStealer, first detected in November 2022, is designed to pilfer email account data from popular mail clients and transmit this information to a server under the attackers’ control.

Since the malware’s inception, researchers have documented two significant campaigns deploying this malicious software: one in November 2023 and another in January 2024. These campaigns targeted sectors including technology, finance, professional and legal services, manufacturing, energy, insurance, construction, as well as government institutions.

In the latest iteration of attacks, hackers utilized emails themed around invoices with attachments in ZIP archives. Inside these archives were JavaScript files that executed a batch file, initiating the download of the malicious DLL component via the legitimate Windows tool “rundll32.exe”. It is reported that StrelaStealer employs various obfuscation techniques, complicating its analysis in isolated environments.

This malicious campaign serves as a reminder of the necessity for continual awareness enhancement and the adoption of appropriate security measures to protect confidential data and critical systems against modern threats such as StrelaStealer and its ilk.