A new email threat, StrelaStealer malware, is targeting Europe and United States organizations. It spreads through phishing emails with attachments that execute its dynamic-link library (DLL) payload designed to steal email login data. This Cybersecurity Threat Advisory reviews the threat in detail and provides recommendation on how organizations can mitigate their risks.
What is the threat?
StrelaStealer is spread through phishing emails as ZIP attachments. These attachments contain JScript files that drop a batch file and a base64-encoded file, which decodes into a DLL. The DLL is then executed via rundll32.exe to deploy the StrelaStealer payload. The malware primarily affects email clients such as Outlook and Thunderbird, stealing email login data and sending it to the attacker’s command and control server.
Why is it noteworthy?
The StrelaStealer malware is noteworthy due to the potential damage it can cause. It has the ability to continuously update its obfuscation techniques and evade detection. The large-scale campaigns launched by the threat actors behind StrelaStealer has impacted over 100 organizations in the Europe and United States, demonstrating the scale of the threat. Additionally, the malware’s operators were able to adjust their attacks multiple languages used in Europe which increased its impact in the region.
What is the exposure or risk?
A successful attack can lead to the compromise of email login credentials, potentially enabling attackers to access sensitive information, send unauthorized emails, or conduct further attacks. Most targeted entities operate in the ‘high tech’ space, followed by sectors like finance, legal services, manufacturing, government, utilities and energy, insurance, and construction. Organizations in these sectors, especially those relying heavily on email communication, are at risk of significant damage, including data breaches, financial losses, and reputational harm. Additionally, individuals who fall victim to phishing emails and unknowingly download the malware are also at risk of personal data theft and identity fraud.
What are the recommendations?
Barracuda MSP recommends the following actions to prevent the StrelaStealer malware phishing attacks:
- Use email protection solutions such as Barracuda Email Protection to detect and quarantine suspicious emails, identify users who interacted with such emails, and apply effective remediation action to secure your environment.
- Conduct regular cybersecurity awareness training to educate users about phishing risks and the importance of verifying email attachments before downloading or opening them.
- Enforce strong email security measures, such as multi-factor authentication (MFA) and email filtering, to reduce the likelihood of successful phishing attacks.
- Stay updated on the latest cybersecurity trends and threats and implement necessary security patches and updates to protect against known vulnerabilities.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2024/03/new-strelastealer-phishing-attacks-hit.html
- https://www.bleepingcomputer.com/news/security/over-100-us-and-eu-orgs-targeted-in-strelastealer-malware-attacks/
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
