StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe
June 25, 2024, 1:22 p.m.
Tags
External References
Description
Recent observations indicate a surge in JavaScript spreading StrelaStealer, a credential stealer specifically targeting Outlook and Thunderbird email credentials. While the infection chain resembles previous versions, additional checks have been implemented to avoid compromising systems in Russia. The campaign is currently confined to Poland, Spain, Italy, and Germany. The malware employs an obfuscated JavaScript file delivered via email attachments to initiate the attack chain, evading detection through self-copying and encoding techniques. Once executed, it selectively infects non-Russian systems and steals email account information, sending it to a remote server.
Date
Published: June 25, 2024, 1:07 p.m.
Created: June 25, 2024, 1:07 p.m.
Modified: June 25, 2024, 1:22 p.m.
Indicators
f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96
b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800
0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78
45.9.74.176
http://45.9.74.176/
Attack Patterns
StrelaStealer
T1036.004
T1059.005
T1055.002
T1059.003
T1059.001
T1012
T1059.007
T1056.001
T1036.005
T1027
Additional Informations
Poland
Spain
Italy
Germany