Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

StrelaStealer

StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.(Citation: DCSO StrelaStealer 2022)(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)
ID: S1183
Type: MALWARE
Platforms: Windows
Created: 31 Dec 2024
Last Modified: 10 Mar 2025

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

StrelaStealer communicates externally via HTTP POST with encrypted content.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.(Citation: IBM StrelaStealer 2024)

.003 Command and Scripting Interpreter: Windows Command Shell

StrelaStealer has included BAT files in some instances for installation.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)

.007 Command and Scripting Interpreter: JavaScript

StrelaStealer has been distributed as a malicious JavaScript object.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)

Enterprise T1132 .001 Data Encoding: Standard Encoding

StrelaStealer utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.(Citation: IBM StrelaStealer 2024)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.(Citation: Fortgale StrelaStealer 2023)

Enterprise T1574 .001 Hijack Execution Flow: DLL

StrelaStealer has sideloaded a DLL payload using a renamed, legitimate `msinfo32.exe` executable.(Citation: DCSO StrelaStealer 2022)

Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

StrelaStealer has used a renamed, legitimate `msinfo32.exe` executable to sideload the StrelaStealer payload during initial installation.(Citation: DCSO StrelaStealer 2022)

.005 Masquerading: Match Legitimate Resource Name or Location

StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.(Citation: IBM StrelaStealer 2024)

.008 Masquerading: Masquerade File Type

StrelaStealer has been distributed as a DLL/HTML polyglot file.(Citation: DCSO StrelaStealer 2022)(Citation: IBM StrelaStealer 2024)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.(Citation: PaloAlto StrelaStealer 2024)

.013 Obfuscated Files or Information: Encrypted/Encoded File

StrelaStealer uses XOR-encoded strings to obfuscate items.(Citation: DCSO StrelaStealer 2022)

.015 Obfuscated Files or Information: Compression

StrelaStealer has been delivered via JScript files in a ZIP archive.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)

.016 Obfuscated Files or Information: Junk Code Insertion

StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.(Citation: Fortgale StrelaStealer 2023)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

StrelaStealer has been distributed as a spearphishing attachment.(Citation: DCSO StrelaStealer 2022)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

StrelaStealer variants have used valid code signing certificates.(Citation: IBM StrelaStealer 2024)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

StrelaStealer DLL payloads have been executed via `rundll32.exe`.(Citation: PaloAlto StrelaStealer 2024)(Citation: IBM StrelaStealer 2024)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

StrelaStealer searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\Thunderbird\Profiles\` directory, associated with the Thunderbird email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)

.002 Unsecured Credentials: Credentials in Registry

StrelaStealer enumerates the registry key `HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\` to identify the values for "IMAP User," "IMAP Server," and "IMAP Password" associated with the Outlook email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)

Enterprise T1204 .002 User Execution: Malicious File

StrelaStealer relies on user execution of a malicious file for installation.(Citation: DCSO StrelaStealer 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.