StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe

June 25, 2024, 1:22 p.m.

Description

Recent observations indicate a surge in JavaScript spreading StrelaStealer, a credential stealer specifically targeting Outlook and Thunderbird email credentials. While the infection chain resembles previous versions, additional checks have been implemented to avoid compromising systems in Russia. The campaign is currently confined to Poland, Spain, Italy, and Germany. The malware employs an obfuscated JavaScript file delivered via email attachments to initiate the attack chain, evading detection through self-copying and encoding techniques. Once executed, it selectively infects non-Russian systems and steals email account information, sending it to a remote server.

External References

https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/
https://otx.alienvault.com/pulse/667ac12258be5e1d0b24c449
Tags
obfuscation
stealer
javascript
2024-06-25
strelastealer

Date

  • Created: June 25, 2024, 1:07 p.m.
  • Published: June 25, 2024, 1:07 p.m.
  • Modified: June 25, 2024, 1:22 p.m.

Indicators

  • f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96
  • b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800
  • 0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78
  • 45.9.74.176
  • http://45.9.74.176/
Download all indicators here!

Attack Patterns

  • StrelaStealer
  • T1036.004
  • T1059.005
  • T1055.002
  • T1059.003
  • T1059.001
  • T1012
  • T1059.007
  • T1056.001
  • T1036.005
  • T1027

Additional Informations

  • Poland
  • Spain
  • Italy
  • Germany