Strela Stealer Malware Targeting Europe

Note from Lionel: As our X-Labs team was in the process of final analysis, we noticed the IBM X-Force team recently published details on the Strela Stealer malware. In the interest of sharing more information, we thought it was worth communicating it here via a blog post.

###

In the last month, we’ve seen a pronounced  increase in an infostealer malware that has been active throughout 2024. The Strela Stealer malware campaign starts via a German language phishing email that urges users to download an archive that contains highly obfuscated large JavaScript file. Upon execution, this file acts as a stealer that exfiltrates certain system information—including email configuration details, usernames and passwords.

Here's the attack chain:

In terms of scope, here’s a graph showing the volume of the Strela email campaign messages blocked by day:

Email:

The email is crafted in German language that uses either an invoice or fake product purchases as a lure to encourage users to download the archive file.

JavaScript in archive 

In Fig. 2 above, the size of JavaScript file is around ~1MB. The JavaScript has two techniques for execution of code:

• By using cmd.exe which directly executing a dll file using rundll32
• By using powershell.exe, de-obfuscating base64 encoded string and executing a dll file using rundll32

Here’s more detail in how the de-obfuscation and execution techniques work:

Technique1: Obfuscated JavaScript and execution using cmd.exe

Observing the JavaScript, we see it has two parts. One is variable assigned to strings and other is Function() from which execution of JavaScript starts:

De-obfuscation JavaScript:

By replacing strings with small content, we can now see the code in readable format (see Fig. 4.3 below):

On replacing strings with its values, we get exact content.

Technique 2: PowerShell Encoded and Decoded JavaScript

Fig. 4.4 and 4.7 above both show decoded code that uses WebDAV to run a file without saving it to disk.

WebDAV server enhances HTTP and allows users to manage and edit files on server without saving changes on the local machine. 

The code connects to 94.159.113[.]82 using port 8888 to execute the dll file using rundll32.exe on server.

Analysis of dll file

The dll file which is present on WebDAV server is 64-bit dll file that contains one export function named Entry. This dll acts as a wrapper for the malware payload.

On static analysis, we found .text and .data sections are packed which seems to be containing encrypted code.

On checking the data section, we see the encryption key highlighted below:

The dll file also contains numerous jump functions which makes debugging harder to do. Fig. 8. below shows these multiple jump instructions:

Upon executing the dll till return, it follows certain XOR and arithmetic operation for decryption of MZ DOS content inside the dll file: 

Fig. 10 below shows encryption key which is used to decrypt additional MZ header. This encoded string is similar to what we saw in the static analysis of the dll file in Fig. 7 earlier.

Presence of PE file

Upon successful execution the dll file exits by displaying a fake error message (See Fig. 10) while remaining active in the background. It then directly executes—unpacking the payload using rundll32.

While the file is running in background, it tries to get local settings from the victim’s machine by utilizing the GetKeyboardLayout API. It then checks and compares for hardcoded languages such as German and Spanish. If languages match the  victim’s system, it then continues execution, exfiltrating sensitive system data on /server[.]php.

Conclusion:

The recent Strela infostealer campaign is distributed by phishing email that urges users to download an infected file attached to the email. The file archive contains heavily obfuscated JavaScript code which uses WebDAV server to directly execute the dll file without saving it to disk—thus bypassing security mechanisms, enabling unauthorized access to sensitive information in the process.

Protection Statement

• Stage 2 (Lure) – Delivered via archive embedded in an email. Emails are blocked by email analytics.
• Stage 3 (Redirect) – WebDAV url which hosts dll file is categorized and blocked under security classification.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - The malware contacts command and control (C&C) servers in order to share sensitive user data are categorized and blocked under security classification.

IOCs