In a new report, researchers from Unit 42 at Palo Alto Networks have identified a new series of phishing attacks aimed at spreading malicious software known as Strelastealer. The threat has impacted over 100 organizations in the European Union and the United States.
These attacks are carried out through spam messages containing attachments that execute the DLL-loading payload of Strelastealer. To avoid detection, the attackers constantly alter the format of the attachment files in the initial emails.
Strelastealer, which was first discovered in November 2022, is designed to exfiltrate email account credentials from popular mail clients and send them to a server controlled by the attackers.
Two large-scale campaigns utilizing this malicious software were identified in November 2023 and January 2024. The targets of these campaigns included technology, finance, professional services, legal services, manufacturing, energy, insurance, construction, and government institutions.
In the recent attacks, hackers employed emails with subjects related to invoices containing ZIP archives. These archives hold JavaScript files that execute a payload file triggering the loading of DLL loads using the legitimate Windows “Rundll32.exe”. The malware employs various obfuscation techniques to hinder analysis in sandboxed environments.
This malicious campaign underscores the importance of maintaining vigilance and implementing robust cybersecurity measures to safeguard sensitive data and critical systems from modern threats like Strelastealer.