The damage can be especially disastrous for small-to-medium enterprises (SMEs) that lack the big budgets and sprawling security teams to respond rapidly to a breach. Therefore, it is crucial for SME I.T. security leaders to ensure that their organizations are secure through affordable measures to reduce their exposure to compromise.
Now, in this piece, we’ll dissect a timely example of credential theft— StrelaStealer —to identify the malware’s characteristics and capabilities and the detections and preventions necessary to block it from affecting your organization.
StrelaStealer’s New Tricks
A massive StrelaStealer campaign recently rocked hundreds of US- and EU-based companies. StrelaStealer, as its name suggests, is a stealer. Its goal is to swipe email login credentials from victim machines, focusing primarily on Thunderbird and Outlook email accounts.
When StrelaStealer was first observed in early November 2022, it was distributed as an ISO file that contained a .LNK file which either side-loaded the stealer’s DLL payload or, through a more sophisticated method, executed the payload as a DLL/HTML polyglot.
That distribution method has evolved. In this most recent campaign, we see StrelaStealer delivered via phishing emails in several languages, depending on what their target speaks.
Here, in this phishing email, we can see how users are lured into opening a zip file attachment purporting to enclose a PDF invoice:
The zip file actually contains a JavaScript file named “18262829011200.js”:
Now, by performing static and dynamic analyses, we can assess that file and understand its functionality and capabilities.
Static Analysis
First up, static analysis. StrelaStealer’s source code can be parsed for signs of potential security issues.
Reviewing the file in a text editor reveals several exciting commands:
- The following commands look like an obfuscated script, replacing characters with variable names:
De-obfuscating the code, we can see that it contains several commands using native Windows applications to create and ultimately run a DLL file named “returnready.dll”:
- Additional strings show more obfuscated code, using the same method of setting characters as variables:
Once decoded, we can see how wscript’s ‘shell’ method is used to execute cmd.exe and create the file “trousersperpetual.bat” in the %temp% directory:
- Finally, a very large base64 encoded string was observed in the file:
Decoding the string, we can see that it is a portable executable (PE) file:
Dynamic Analysis
Next, dynamic analysis. StrelaStealer can be run in a controlled environment to reveal its attack flow step-by-step.
Upon execution of the file “18262829011200.js” via wscript.exe, cmd.exe is used to create a copy of the .js file’s contents, which is then saved on the host as the file “C:\Users*\AppData\Local\Temp\ trousersperpetual.bat ”:
Cmd.exe continues by running “findstr” on the file “C:\Users*\AppData\Local\Temp\ trousersperpetual.bat ”, looking for all strings that do not contain the word “marrywise” and saving the result to the file “C:\Users*\AppData\Local\Temp\ magnificentdevelopment ”.
This file ends up containing the large base64 string found in our static analysis:
Then certutil.exe is invoked to decode the newly created base64 encoded file “ magnificentdevelopment ” into the file “C:\Users*\AppData\Local\Temp\ returnready.dll ”.
This is essentially StrelaStealer’s payload file:
The file “ returnready.dll ” is then executed via rundll32.exe, which proceeds to enumerate the host’s Outlook and Thunderbird email account data, before exfiltrating it to the threat actor’s command and control (C2) server.
MITRE ATT&CKTactics & Techniques
Initial Access Execution Defense Evasion Collection Command and Control Exfiltration Phishing Command and Scripting InterpreterDeobfuscate/Decode Files or InformationEmail CollectionApplication Layer ProtocolAutomated ExfiltrationUser ExecutionObfuscated Files or InformationExfiltration Over C2 ChannelSystem Binary Proxy Execution
How to detect StrelaStealer
1. File Dumped on the Disk
Cynet’s AV/AI engine detects that malicious files have been dumped on the disk or are attempting to run:
Process Monitoring
Cynet’s Process Monitoring mechanism detects the use of Certutil.exe to decode the malicious DLL file:
