Cyble Research and Intelligence Labs (CRIL) researchers have uncovered a new variation of the Strela Stealer that represents “a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth,” Cyble said in a blog post today.
The new campaign appears to be targeting Germany and Spain, with versions in German, Spanish and Basque, but as with all malware, it will likely be repurposed elsewhere at some point – as happened with the initial version of the infostealer.
New Strela Stealer Uses Obfuscated JavaScript, PowerShell
Strela Stealer, initially identified by DCSO in 2022, is an infostealer primarily created to steal account credentials from widely used email clients like Microsoft Outlook and Mozilla Thunderbird. It initially targeted Spanish-speaking users with malicious ISO file attachments that included a .lnk file and a polyglot file. ZIP attachments were the next evolution.
By adding heavily obfuscated JavaScript and base64-encoded PowerShell commands, the new Strela Stealer variant “significantly complicates detection and response efforts,” Cyble said.
Another new twist is executing the DLL file directly from the WebDAV server without saving it to disk, which further adds to its security evasion abilities.
The malware is programmed to steal email configuration details and gather detailed system information, “enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems,” Cyble said.
New Campaign Starts with Invoice Notices, ZIP File
The new campaign starts with a fake invoice notification for a recent purchase and a ZIP file attachment (image below) that contains the obfuscated JavaScript code, which is intended to run through WScript. The code launches a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the export function “Entry.”
“By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products,” the researchers said.
The JavaScript file uses string substitution to generate and execute its hidden code, which initiates a PowerShell command embedded within the script and a base64-encoded payload. That command contacts a WebDAV server and executes a DLL file, which acts as a loader for the main payload.
“The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash,” the researchers said. “Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions.”
The DLL accesses a hardcoded key within its “.data” section, which is used to decrypt additional data stored in the same section and ultimately extracts the main payload. The resulting MZ file runs directly from the “rundll32.exe” process.
If that process finds a language match via the GetKeyboardLayout API, the infostealer continues its execution. If there is no language match, it stops. “This behavior indicates that the malware specifically targets regions within Germany and Spain,” Cyble said.
The full Cyble blog includes additional details, MITRE ATT&CK techniques, and about 100 Indicators of Compromise (IoCs).
