Summary:
Strela Stealer, a malware originally identified by the German cybersecurity organization DCSO in late 2022, is an information stealer primarily designed to exfiltrate email account credentials from email clients like Microsoft Outlook. In addition to credential theft, Strela Stealer gathers detailed system and email server information, enabling attackers to conduct reconnaissance and potentially launch further targeted attacks. Although campaigns utilizing Strela Stealer initially targeted Spanish-speaking users with malicious ISO attachments in email spam campaigns, this campaign discovered by Cyble Research and Intelligence Labs (CRIL) predominately targets victims in Germany and Spain, evolving their tactics to maximize the campaign's reach and effectiveness. The heavily obfuscated JavaScript files contained within the ZIP file attachments are designed to evade security tool detection. In a report by Palo Alto, Strela Stealer Threat Actors (TAs) were observed using malicious ZIP file attachments similar to this campaign that eventually executed a DLL as the final payload. In this campaign, however, by executing the final DLL directly from a WebDAV server, the DLL file is not saved on disk, thereby evading detection. A comparison chart of the three Strela Stealer campaigns mentioned above is available on CRIL's blog post.

Security Officer Comments:
The sophistication and stealth of these recent campaigns are highlighted by the notable advancement in malware delivery techniques employed by threat actors to maximize the malware's impact. One of the most concerning aspects of Strela Stealer is its ability to evade detection. The use of heavily obfuscated JavaScript files within ZIP attachments and direct DLL execution from a WebDAV server are sophisticated techniques designed to bypass security solutions. These tactics demonstrate a high level of technical expertise and a willingness to invest resources in refining the malware's capabilities.

The Strela Stealer improvements underscore the importance of proactive security measures. The expansion of the target audience from Spanish-speaking users to include Germany and Spain underscores the global nature of cyber threats. Threat actors are increasingly targeting specific regions and industries to maximize their potential gains.

Suggested Corrections:
IOCs and MITRE ATT&CK Techniques are published here.

Cyble Research and Intelligence Labs' Suggested Corrections Recommendations:

• Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
• Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
• Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
• Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
• Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
• Implement multi-factor authentication for accessing sensitive systems and accounts, introducing an additional layer of verification to protect against credential theft.

Link(s):
https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/