S1183 StrelaStealer
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.2134
| Item | Value |
|---|---|
| ID | S1183 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 31 December 2024 |
| Last Modified | 10 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | StrelaStealer communicates externally via HTTP POST with encrypted content.234 |
| enterprise | T1119 | Automated Collection | StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook following execution.2134 |
| enterprise | T1020 | Automated Exfiltration | StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST.24 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.4 |
| enterprise | T1059.003 | Windows Command Shell | StrelaStealer has included BAT files in some instances for installation.34 |
| enterprise | T1059.007 | JavaScript | StrelaStealer has been distributed as a malicious JavaScript object.134 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | StrelaStealer utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.4 |
| enterprise | T1001 | Data Obfuscation | StrelaStealer encrypts the payload of HTTP POST communications using the same XOR key used for the malware’s DLL payload.2 |
| enterprise | T1622 | Debugger Evasion | StrelaStealer variants include functionality to identify and evade debuggers.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | StrelaStealer payloads have included strings encrypted via XOR.2 StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.13 |
| enterprise | T1480 | Execution Guardrails | StrelaStealer variants only execute if the keyboard layout or language matches a set list of variables.34 |
| enterprise | T1480.002 | Mutual Exclusion | StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers.2134 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | StrelaStealer has sideloaded a DLL payload using a renamed, legitimate msinfo32.exe executable.2 |
| enterprise | T1105 | Ingress Tool Transfer | StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.4 |
| enterprise | T1036 | Masquerading | StrelaStealer PE executable payloads have used uncommon but legitimate extensions such as .com instead of .exe.4 |
| enterprise | T1036.003 | Rename Legitimate Utilities | StrelaStealer has used a renamed, legitimate msinfo32.exe executable to sideload the StrelaStealer payload during initial installation.2 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.4 |
| enterprise | T1036.008 | Masquerade File Type | StrelaStealer has been distributed as a DLL/HTML polyglot file.24 |
| enterprise | T1027 | Obfuscated Files or Information | StrelaStealer has been distributed in ISO archives.2 StrelaStealer has been delivered in encrypted, password-protected ZIP archives.4 |
| enterprise | T1027.002 | Software Packing | StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | StrelaStealer uses XOR-encoded strings to obfuscate items.2 |
| enterprise | T1027.015 | Compression | StrelaStealer has been delivered via JScript files in a ZIP archive.13 |
| enterprise | T1027.016 | Junk Code Insertion | StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | StrelaStealer has been distributed as a spearphishing attachment.2 |
| enterprise | T1518 | Software Discovery | StrelaStealer variants use COM objects to enumerate installed applications from the “AppsFolder” on victim machines.4 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | StrelaStealer variants have used valid code signing certificates.4 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | StrelaStealer DLL payloads have been executed via rundll32.exe.14 |
| enterprise | T1082 | System Information Discovery | StrelaStealer variants collect victim system information for exfiltration.4 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.34 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | StrelaStealer searches for and if found collects the contents of files such as logins.json and key4.db in the $APPDATA%\Thunderbird\Profiles\ directory, associated with the Thunderbird email application.23 |
| enterprise | T1552.002 | Credentials in Registry | StrelaStealer enumerates the registry key HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ to identify the values for “IMAP User,” “IMAP Server,” and “IMAP Password” associated with the Outlook email application.234 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | StrelaStealer relies on user execution of a malicious file for installation.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.13 |
References
-
Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024. ↩↩↩↩↩↩↩↩↩
-
DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩