Fresh Wave of StrelaStealer Phishing Attacks Hits 100+ Organizations

A new wave of phishing attacks has been detected, targeting more than 100 organizations in the European Union and the United States. The attacks aim to deliver an information stealer known as StrelaStealer, which is constantly evolving to evade detection.

The researchers reported that these campaigns use spam emails with attachments to launch the StrelaStealer’s DLL payload. To avoid detection, attackers change the file format of the email attachment in each campaign.

First identified in November 2022, StrelaStealer is designed to steal email login data from popular email clients and send them to an attacker-controlled server. Since its discovery, two large-scale campaigns involving the malware have been detected targeting various sectors, including high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction.

The latest attacks deliver a new variant of the stealer with improved obfuscation and anti-analysis techniques. These attacks use invoice-themed emails with ZIP attachments, a departure from previous campaigns that used ISO files.

Inside the ZIP archives is a JavaScript file that drops a batch file, which then launches the stealer DLL payload using rundll32.exe, a legitimate Windows component. The stealer malware employs obfuscation techniques to make analysis difficult in sandboxed environments.

“With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself,” the researchers explained.

In a related development, the report revealed that fake installers for well-known applications or cracked software hosted on GitHub, Mega, or Dropbox are being used to distribute a stealer malware known as Stealc. Additionally, phishing campaigns have been observed delivering Revenge RAT and Remcos RAT, with the latter delivered by a cryptors-as-a-service (CaaS) called AceCryptor, according to ESET.

Another social engineering scam targets individuals seeking information about recently deceased individuals on search engines. Fake obituary notices hosted on bogus websites drive traffic to these sites through search engine optimization (SEO) poisoning, ultimately leading to adware and other unwanted programs.

“While the counterfeit undertaking is currently restricted to filling fraudsters’ coffers via affiliate programs for antivirus software, the attack chains could be easily repurposed to deliver information stealers and other malicious programs, making it a more potent threat,” the report warned.

The emergence of Fluffy Wolf, a new activity cluster, highlights how even unskilled threat actors can use malware-as-a-service (MaaS) schemes to conduct successful attacks at scale. This trend underscores the need for organizations to remain vigilant against evolving threats and implement robust cybersecurity measures to protect sensitive information.

To prevent StrelaStealer phishing attacks, organizations should educate employees about the dangers of phishing and encourage them to verify the authenticity of emails before clicking on links or downloading attachments. Implementing email security measures such as SPF, DKIM, and DMARC can help detect and block phishing emails. Regular security training and awareness programs can help employees recognize and respond to phishing attacks effectively.