StrelaStealer: A Dynamic Data-Stealing Malware

As per Palo Alto Networks’ Unit 42 report,

What is StrelaStealer Malware?

StrelaStealer malware is an email credential stealer first documented by DCSO_CyTec in their recent blog. This is said to spread via an ISO attachment and initially targeted the Spanish audience.

The malware collected credentials from popular email platforms like Outlook and Thunderbird. Since its first emergence, the threat actor behind StrelaStealer crafted various large-scale email campaigns, typically across the EU and the US.

Apart from using spam emails with attachments, one notable characteristic is that it uses a “polyglot” infection method to bypass detection.

How Does StrelaStealer Attack?

In terms of security, polyglots are files that are a valid form of various file types. For example, GIFAR is a polyglot file that combines both a GIF and a RAR file. Such files are used to bypass protection based on file types.

StrelaStealer malware arrives on the victim’s system via email attachments, currently ISO files that pose as legitimate files. This ISO file contains an executable (‘msinfo32.exe’) that sideloads the bundled malware via DLL order hijacking.

Interestingly, an ISO contains an LNK file (‘Factura.lnk’) and an HTML file (‘x.html’). The x.html file is of particular interest because it is a polyglot file, which can be treated as a different file format depending on the app that opens it.

In this case, x.html is an HTML file and a DLL program. It loads the StrelaStealer malware or displays a decoy document in the default web browser. When the Fractura.lnk file is executed, it will execute x.html twice.

First, it will execute using rundll32.exe to run the embedded StrelaStealer DLL. Second, it runs as HTML to load the decoy document in the browser. Once the malware enters the memory, it opens a default browser to show the decoy. This makes the attack less suspicious.

The StrelaStealer malware is designed to steal email login data from email clients. This data is then sent back to the attacker’s Command & Control (C2) Server. These servers facilitate data exfiltration by requiring the compromised device to send specific data to the server.

Once the threat actor gains access to the victim’s login details, they can use it for further attacks. To bypass detection, attackers change the initial email attachment file format from one campaign to the next, making it difficult for analysts and security tools to detect the malware.

At the same time, the malware author frequently updates the DLL payload with better obfuscation and anti-analysis practices, further complicating the analysis process.

Also read: Combating Stealer Malware in Today’s Cyber Landscape

How can Assets Be Protected from StrelaStealer Malware?

• Stay Informed

To enhance defenses against StrelaStealer malware, individuals and firms must adopt a proactive and informed approach. This includes staying informed about phishing tactics, as StrelaStealer often infiltrates systems via disguised phishing emails.

Learning to recognize suspicious email patterns and verify the authenticity of links or attachments before interaction is essential.

• Use Robust Anti-Malware Software

Install and maintain reputable antivirus software that can detect and neutralize malware threats. Ensure that the software is always up to date to protect against the latest malware signatures.

• Enforce MFA

Firms must strengthen the security of their accounts by enabling MFA. MFA adds an extra layer of protection, making it challenging for hackers to gain access to sensitive data even if they manage to obtain the credentials.

• Update the Software and Backup Data Regularly

Hackers often exploit vulnerabilities in outdated software. It is crucial to keep the operating system, browsers, and all apps updated with the latest patches and versions.

Moreover, keeping the operating system, browsers, and all apps updated with the latest patches and versions can prevent such exploits.

Regular data backups, both on physical drives and cloud-based services, ensure that, in the event of a system compromise, recovery is possible without significant data loss.

• Promote Awareness and Vigilance

Fostering a culture of cybersecurity awareness within the firm will help overcome phishing attacks. Regular training sessions can help employees stay informed about the latest threats and best practices. Users must also track accounts and systems for any unusual activity that could indicate a breach. The sooner they can identify and respond to a threat, the better the chances of mitigating its impact.

• Limit User Privileges and Conduct Regular Security Audits

Grant administrative rights only to trusted individuals and only when necessary. Reducing the number of users with access to sensitive data can minimize the risk of internal threats or accidental exposure.

Also, cybersecurity practices and policies should be regularly reviewed. This includes assessing the effectiveness of the current security measures and identifying any potential vulnerabilities that need to be addressed.

Conclusion

The StrelaStealer malware is a significant threat that uses the ingenuity of polyglot files to bypass security measures.

To combat this, staying informed about the latest phishing tactics, using robust anti-malware software, enforcing MFA, keeping software updated, and promoting cybersecurity awareness are essential.

By taking these proactive steps, firms can enhance their defenses against StrelaStealer and other dynamic malware threats, protecting sensitive data and maintaining the integrity of their digital assets.