انتقل إلى المحتوى الرئيسي
|
0 دقائق القراءة

Strela Stealer Malware Targeting Europe

Get a Demo of Forcepoint Solutions

Note from Lionel: As our X-Labs team was in the process of final analysis, we noticed the IBM X-Force team recently published details on the Strela Stealer malware. In the interest of sharing more information, we thought it was worth communicating it here via a blog post.

###

In the last month, we’ve seen a pronounced  increase in an infostealer malware that has been active throughout 2024. The Strela Stealer malware campaign starts via a German language phishing email that urges users to download an archive that contains highly obfuscated large JavaScript file. Upon execution, this file acts as a stealer that exfiltrates certain system information—including email configuration details, usernames and passwords.

Here's the attack chain:

strela_image-1.png

In terms of scope, here’s a graph showing the volume of the Strela email campaign messages blocked by day:

strela_image-2.png

Email:

The email is crafted in German language that uses either an invoice or fake product purchases as a lure to encourage users to download the archive file.

strela_image-3.png
Fig. 1 – Email sample

JavaScript in archive 

strela_image-4.png
Fig. 2 – JavaScript in archive

In Fig. 2 above, the size of JavaScript file is around ~1MB. The JavaScript has two techniques for execution of code:

  • By using cmd.exe which directly executing a dll file using rundll32
  • By using powershell.exe, de-obfuscating base64 encoded string and executing a dll file using rundll32

 

Here’s more detail in how the de-obfuscation and execution techniques work:

Technique1: Obfuscated JavaScript and execution using cmd.exe

strela_image-5.png
Fig. 3 - JavaScript code

 

Observing the JavaScript, we see it has two parts. One is variable assigned to strings and other is Function() from which execution of JavaScript starts:

 

strela_image-6.png
Fig. 4.1 - Obfuscated JavaScript code
strela_image-7.png
Fig. 4.2 - Function in Obfuscated JavaScript code

 

 

De-obfuscation JavaScript:

 

 

By replacing strings with small content, we can now see the code in readable format (see Fig. 4.3 below):

 

strela_image-8.png
Fig. 4.3 - Readable code

 

On replacing strings with its values, we get exact content.

 

strela_image-9.png
Fig. 4.4 - Decoded script

Technique 2: PowerShell Encoded and Decoded JavaScript

strela_image-10.png
Fig. 4.5 - PowerShell Obfuscated JavaScript
strela_image-11.png
Fig. 4.6 - De-obfuscated JavaScript
strela_image-12.png
Fig. 4.7 - Decoded command

 

 

 

 

Fig. 4.4 and 4.7 above both show decoded code that uses WebDAV to run a file without saving it to disk.

 

 

WebDAV server enhances HTTP and allows users to manage and edit files on server without saving changes on the local machine. 

 

 

The code connects to 94.159.113[.]82 using port 8888 to execute the dll file using rundll32.exe on server.

 

 

 

 

 

Analysis of dll file

 

 

The dll file which is present on WebDAV server is 64-bit dll file that contains one export function named Entry. This dll acts as a wrapper for the malware payload.

 

strela_image-13.png
Fig. 5 – DLL export function

 

On static analysis, we found .text and .data sections are packed which seems to be containing encrypted code.

 

strela_image-14.png
Fig. 6 - File sections

 

On checking the data section, we see the encryption key highlighted below:

 

strela_image-15.png
Fig. 7 – Packed data section shows encrypted string

 

The dll file also contains numerous jump functions which makes debugging harder to do. Fig. 8. below shows these multiple jump instructions:

 

 

strela_image-16.png
Fig. 8 - Multiple jump instructions

 

Upon executing the dll till return, it follows certain XOR and arithmetic operation for decryption of MZ DOS content inside the dll file: 

 

strela_image-17.png
Fig. 9 - Encryption key

 

Fig. 10 below shows encryption key which is used to decrypt additional MZ header. This encoded string is similar to what we saw in the static analysis of the dll file in Fig. 7 earlier.

 

strela_image-18.png
Fig. 10 - Fake error message

 

Presence of PE file

 

strela_image-19.png
Fig. 11 - Presence of PE file

 

Upon successful execution the dll file exits by displaying a fake error message (See Fig. 10) while remaining active in the background. It then directly executes—unpacking the payload using rundll32.

 

 

While the file is running in background, it tries to get local settings from the victim’s machine by utilizing the GetKeyboardLayout API. It then checks and compares for hardcoded languages such as German and Spanish. If languages match the  victim’s system, it then continues execution, exfiltrating sensitive system data on /server[.]php.

 

Conclusion:

 

The recent Strela infostealer campaign is distributed by phishing email that urges users to download an infected file attached to the email. The file archive contains heavily obfuscated JavaScript code which uses WebDAV server to directly execute the dll file without saving it to disk—thus bypassing security mechanisms, enabling unauthorized access to sensitive information in the process.

 

Protection Statement

  • Stage 2 (Lure) – Delivered via archive embedded in an email. Emails are blocked by email analytics.
  • Stage 3 (Redirect) – WebDAV url which hosts dll file is categorized and blocked under security classification.
  • Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
  • Stage 6 (Call Home) - The malware contacts command and control (C&C) servers in order to share sensitive user data are categorized and blocked under security classification.

IOCs

Endpointexperiment[.]com

domain

Vaultdocker[.]com

domain

e57732e4d95caafc20e3e0893a393b3a17f1df0b

js

f3fafff8a8e9f87eb7499e0a805cb852dcbc38b3

js

c087cfb7dc86cee69119a5db912e1cee22a3c2a8

js

aff97210b69e95313c6b28d4bd87346f97b6c637

dll

f16890fb143741ec118befd22f6903a18f8f1315

dll

1e3059f9a0cd52f3104ee3211860f60328ecf35a

dll

94.159.113[.]82/server[.]php

C2

94.159.113[.]79/server[.]php

C2

94.159.113[.]86/server[.]php

C2

193.109.85[.]231/server[.]php

C2

94.159.113[.]48/server[.]php

C2

    في المقال

    X-Labs

    Get insight, analysis & news straight to your inbox

    إلى النقطة

    الأمن السيبراني

    بودكاست يغطي أحدث الاتجاهات والموضوعات في عالم الأمن السيبراني

    استمع الآن