Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as StrelaStealer.
The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today.
“These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload,” the company said in a report published today.
“In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns.”
First disclosed in November 2022, StrelaStealer is equipped to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server.
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the E.U. and the U.S.
These attacks also aim to deliver a new variant of the stealer that packs in better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails bearing ZIP attachments, marking a shift from ISO files.
Present within the ZIP archives is a JavaScript file that drops a batch file, which, in turn, launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic-link libraries.
The stealer malware also relies on a bag of obfuscation tricks to render analysis difficult in sandboxed environments.
“With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself,” the researchers said.
The disclosure comes as Broadcom-owned Symantec revealed that fake installers for well known applications or cracked software hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware known as Stealc.
Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by means of a cryptors-as-a-service (CaaS) called AceCryptor, per ESET.
“During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor,” the cybersecurity firm said, citing telemetry data. “Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”
Other prominent off-the-shelf malware packed inside AceCryptor in H2 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It’s worth noting that many of these malware strains have also been disseminated via PrivateLoader.
Another social engineering scam observed by Secureworks Counter Threat Unit (CTU) has been found to target individuals seeking information about recently deceased individuals on search engines with fake obituary notices hosted on bogus websites, driving traffic to the sites through search engine optimization (SEO) poisoning in order to ultimately push adware and other unwanted programs.
“Visitors to these sites are redirected to e-dating or adult entertainment websites or are immediately presented with CAPTCHA prompts that install web push notifications or popup ads when clicked,” the company said.
“The notifications display false virus alert warnings from well-known antivirus applications like McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons.”
“The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals.”
While the activity is currently limited to filling fraudsters’ coffers via affiliate programs, the attack chains could be easily repurposed to deliver information stealers and other malicious programs.
The development also follows the discovery a new activity cluster tracked as Fluffy Wolf that’s capitalizing on phishing emails containing an executable attachment to deliver a cocktail of threats, such as MetaStealer, Warzone RAT, XMRig miner, and a legitimate remote desktop tool called Remote Utilities.
The campaign is a sign that even unskilled threat actors can leverage malware-as-a-service (MaaS) schemes to conduct successful attacks at scale and plunder sensitive information, which can then be monetized further for profit.
“Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware,” BI.ZONE said.