StrelaStealer
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
StrelaStealer communicates externally via HTTP POST with encrypted content.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.(Citation: IBM StrelaStealer 2024) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
StrelaStealer has included BAT files in some instances for installation.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024) |
||
.007 | Command and Scripting Interpreter: JavaScript |
StrelaStealer has been distributed as a malicious JavaScript object.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
StrelaStealer utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.(Citation: IBM StrelaStealer 2024) |
Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.(Citation: Fortgale StrelaStealer 2023) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
StrelaStealer has sideloaded a DLL payload using a renamed, legitimate `msinfo32.exe` executable.(Citation: DCSO StrelaStealer 2022) |
Enterprise | T1036 | .003 | Masquerading: Rename Legitimate Utilities |
StrelaStealer has used a renamed, legitimate `msinfo32.exe` executable to sideload the StrelaStealer payload during initial installation.(Citation: DCSO StrelaStealer 2022) |
.005 | Masquerading: Match Legitimate Resource Name or Location |
StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.(Citation: IBM StrelaStealer 2024) |
||
.008 | Masquerading: Masquerade File Type |
StrelaStealer has been distributed as a DLL/HTML polyglot file.(Citation: DCSO StrelaStealer 2022)(Citation: IBM StrelaStealer 2024) |
||
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.(Citation: PaloAlto StrelaStealer 2024) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
StrelaStealer uses XOR-encoded strings to obfuscate items.(Citation: DCSO StrelaStealer 2022) |
||
.015 | Obfuscated Files or Information: Compression |
StrelaStealer has been delivered via JScript files in a ZIP archive.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023) |
||
.016 | Obfuscated Files or Information: Junk Code Insertion |
StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.(Citation: Fortgale StrelaStealer 2023) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
StrelaStealer has been distributed as a spearphishing attachment.(Citation: DCSO StrelaStealer 2022) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
StrelaStealer variants have used valid code signing certificates.(Citation: IBM StrelaStealer 2024) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
StrelaStealer DLL payloads have been executed via `rundll32.exe`.(Citation: PaloAlto StrelaStealer 2024)(Citation: IBM StrelaStealer 2024) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
StrelaStealer searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\Thunderbird\Profiles\` directory, associated with the Thunderbird email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023) |
.002 | Unsecured Credentials: Credentials in Registry |
StrelaStealer enumerates the registry key `HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\` to identify the values for "IMAP User," "IMAP Server," and "IMAP Password" associated with the Outlook email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
StrelaStealer relies on user execution of a malicious file for installation.(Citation: DCSO StrelaStealer 2022) |
References
- Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
- DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
- Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
- Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.