Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer called StrelaStealer.
The campaigns impact more than 100 organizations in the EU and the US, researchers from Palo Alto Networks’ Unit 42 said in a new report released today.
“These campaigns come in the form of spam emails with attachments that ultimately launch the StrelaStealer DLL payload,” the company said in a report published today.
“In an attempt to evade detection, attackers change the initial format of the email attachment file from one campaign to another, to prevent detection from previously generated signature or templates.”
First disclosed in November 2022, StrelaStealer is capable of stealing email login data from known email clients and transferring it to a server controlled by attackers.
Since then, two large-scale campaigns involving the malware were detected in November 2023 and January 2024 and targeted the high-tech, financial, professional and legal, manufacturing, government, energy, insurance and construction sectors in the EU and the United States
These attacks also aim to deliver a new variant of the stealer that packs better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails with ZIP attachments, marking a shift away from ISO files.
Inside the ZIP archives is a JavaScript file that drops a batch file, which, in turn, launches the DLL stealer payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic link libraries.
The stealer malware also relies on a variety of obfuscation tricks to make analysis difficult in sandbox environments.
“With each new wave of email campaigns, threat actors update both the email attachment, which starts the infection chain, and the DLL payload itself,” the researchers said.
The disclosure comes as Broadcom-owned Symantec revealed that fake installers of well-known applications or cracked software hosted on GitHub, Mega or Dropbox act as a conduit for a thieving malware known as Stealc.
Phishing campaigns delivering Revenge RATs and Remcos RATs (also known as Rescoms) have also been observed, the latter delivered via a cryptors-as-a-service (CaaS) called AceCryptor, according to ESET.
“In the second half of [2023]“, Rescoms has become the most prevalent malware family packaged by AceCryptor,” the cybersecurity firm said, citing telemetry data. “Over half of these attempts occurred in Poland, followed by Serbia, Spain, Bulgaria and Slovakia.”
Other notable standard malware contained in AceCryptor in the second half of 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is worth noting that many of these malware strains were also spread via PrivateLoader.
Another social engineering scam observed by the Secureworks Counter Threat Unit (CTU) has been found to target individuals seeking information on recently deceased individuals on search engines with fake obituaries hosted on fake websites, driving traffic to the sites through search engine optimization (SEO) poisoning in order to ultimately push adware and other unwanted programs.
“Visitors to these sites are redirected to e-dating or adult entertainment sites or are immediately presented with CAPTCHA suggestions that install web push notifications or pop-up ads when clicked,” the company said.
“The notifications display fake virus alerts from popular antivirus applications such as McAfee and Windows Defender and persist in the browser even if the victim clicks one of the buttons.”
“The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals.”
While the activity is currently limited to filling scammers’ coffers via affiliate programs, the attack chains could easily be repurposed to deliver information thieves and other malicious programs.
The development also follows the discovery of a new activity cluster tracked as Fluffy Wolf that exploits phishing emails containing an executable attachment to deliver a cocktail of threats, such as MetaStealer, Warzone RAT, XMRig Miner and a legitimate remote desktop tool called Remote Utilities.
The campaign is a sign that even unskilled threat actors can exploit malware-as-a-service (MaaS) schemes to conduct large-scale successful attacks and plunder sensitive information, which can then be further monetized for the purpose of profit.
“Although mediocre in terms of technical expertise, these threat actors achieve their goals using only two sets of tools: legitimate remote access services and inexpensive malware,” BI.ZONE said.