StrelaStealer Malware Hits More Than 100 EU And US Organizations

A wave of StrelaStealer email credential stealer campaigns has impacted more than 100 organizations across the European Union and the United States — attacks that work in the form of spam emails with attachments that eventually launch a dynamic-link library (DLL) payload.

Unit 42 researchers explained on March 22 that with each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself. Attackers do this to evade detection by security vendors.

StrelaStealer malware was first documented by DCSO_CyTec in its blog on Medium published Nov. 8, 2022. The Unit 42 researchers said the last large-scale campaign launched in 2023 was around last November and the Unit 42 team recently observed a new campaign launched in late January 2024 targeting multiple industries in the EU and U.S.

The Unit 42 researchers pointed out that the threat actor updated the malware so it could evade detection. The new variant of StrelaStealer now gets delivered through a zipped JScript and it employs an updated obfuscation technique in the DLL payload.

Adam Neel, threat detection engineer at Critical Start, said the threat actor has moved on from using a polyglot file (created with multiple file formats), and instead now uses spearphishing with a ZIP that eventually generates an encoded file. Neel said the new version of StrelaStealer is better obfuscated because it now uses control flow obfuscation — long code blocks that obscure what’s actually being done in the code — to make it harder for reverse engineering and detection.

“I believe spearphishing and phishing in general will remain effective for a long time since all it takes is one user to having a lapse in judgement and downloading something they shouldn’t,” said Neel.