StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe

June 25, 2024, 1:22 p.m.

Tags
obfuscation
stealer
javascript
2024-06-25
strelastealer
External References
Description

Recent observations indicate a surge in JavaScript spreading StrelaStealer, a credential stealer specifically targeting Outlook and Thunderbird email credentials. While the infection chain resembles previous versions, additional checks have been implemented to avoid compromising systems in Russia. The campaign is currently confined to Poland, Spain, Italy, and Germany. The malware employs an obfuscated JavaScript file delivered via email attachments to initiate the attack chain, evading detection through self-copying and encoding techniques. Once executed, it selectively infects non-Russian systems and steals email account information, sending it to a remote server.

Date

Published: June 25, 2024, 1:07 p.m.

Created: June 25, 2024, 1:07 p.m.

Modified: June 25, 2024, 1:22 p.m.

Indicators

f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96

b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800

0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78

45.9.74.176

http://45.9.74.176/

Download all indicators here!

Attack Patterns

StrelaStealer

T1036.004

T1059.005

T1055.002

T1059.003

T1059.001

T1012

T1059.007

T1056.001

T1036.005

T1027

Additional Informations

Poland

Spain

Italy

Germany