{"id":6950,"date":"2023-09-18T09:06:14","date_gmt":"2023-09-18T09:06:14","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=6950"},"modified":"2023-09-22T08:05:28","modified_gmt":"2023-09-22T08:05:28","slug":"strelastealer-malware-analysis-2","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/malware-analysis\/strelastealer-malware-analysis-2\/","title":{"rendered":"StrelaStealer Malware Analysis"},"content":{"rendered":"\n\n\n<p> Fortgale has identified an offensive campaign targeting Italian business systems, carried out via malicious email containing the <strong>StrelaStealer malware<\/strong>.<\/p>\n\n\n\n<p>During the compromise, several techniques are observed including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li><strong>Spearphishing Attachment<\/strong> \u00a0(<a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/001\/\" target=\"_blank\" rel=\"noreferrer noopener\">T1566.001<\/a>)<\/li>\n\n\n<li><strong>Obfuscated Files or Information <\/strong>(<a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/\" target=\"_blank\" rel=\"noreferrer noopener\">T1027<\/a>)<\/li>\n\n\n<li><strong>RundDLL32<\/strong> (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/011\/\" target=\"_blank\" rel=\"noreferrer noopener\">T1218.011<\/a>)<\/li>\n\n<\/ul>\n<p>The information collected and the characteristics of the compromise allow the case to be attributed to the StrelaStealer Malware. It is a malware known since <strong>November 2022<\/strong> that cyclically reappears in new campaigns.<\/p>\n<p>\n\n\n\n<\/p>\n<p>Its purpose is usually to collect information about <strong>Outlook<\/strong> and <strong>ThunderBird<\/strong> accounts, as also confirmed by our technical analysis.<\/p>\n<p>\n\n\n\n<\/p>\n<p>The attention of these Threat Actors is focusing on <strong>European entities<\/strong>, particularly on <strong>Italian<\/strong>, <strong>Spanish<\/strong>, and <strong>German<\/strong> companies.<\/p>\n<p>\n\n\n\n<\/p>\n<p>Our investigation has allowed us to identify localized strings also in <strong>Polish language<\/strong>, not emerged from previous analyses of the same malware. This suggests a potential <strong>expansion of the Threat Actor&#8217;s targets <\/strong>towards new countries.<\/p>\n<p>\n\n\n\n<\/p>\n<p>The use of a specific language is deduced from the keyboard layout. <strong>If this does not correspond to any of those indicated, the malware blocks its execution<\/strong>.<\/p>\n<p>\n\n\n\n<\/p>\n<p>Another peculiarity of StrelaStealer, and the reason why it is called this way, is related to the presence of the <strong>&#8220;strela&#8221; string <\/strong>used as an encryption key.<\/p>\n<p>\n\n\n\n<\/p>\n<p>In the analysis below it is possible to observe in detail the tactics of <strong>Discovery<\/strong>,<strong> Collection <\/strong>and <strong>Exfiltration<\/strong>, reconstructed through techniques of <strong>Reverse Engineering<\/strong>.<\/p>\n<p>\n\n\n\n<\/p>\n<p>At the end of the article there is a list of<strong> Indicators of Compromise <\/strong>useful for identifying malware in a business environment.<\/p>\n<p>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1.png\" alt=\"StrelaStealer Malware\" class=\"wp-image-6715\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1.png 1920w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1-300x169.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1-1024x576.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1-768x432.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Strela-Stealer-1-1536x864.png 1536w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<p><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-malware-analysis\">Malware Analysis<\/h2>\n\n\n\n<p>The criminal actors have used an &#8216;<strong>automation<\/strong>&#8216; to personalize the name of the zip file, using the <strong>domain<\/strong>&#8216;s email account of the victim.<\/p>\n\n\n\n<p>The compressed file contains a javascript file with the structure &#8220;<strong>VictimDomain&#8221;.js<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image is-style-default\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" class=\"wp-image-6709 alignnone\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-2.png\" alt=\"\" width=\"1737\" height=\"206\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-2.png 835w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-2-300x36.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-2-768x91.png 768w\" sizes=\"(max-width: 1737px) 100vw, 1737px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<p><p>The <em>Javascript <\/em>contains <strong>obfuscated code<\/strong> divided into two portions, one part written in <strong><em>.bat <\/em><\/strong>format and one in <strong><em>.js<\/em><\/strong> format. Execution via <em>cmd.exe<\/em> or <em>wscript.exe<\/em> determines the part of the code to execute (batch\/js).<\/p>\n<p>&nbsp;<\/p><\/p>\n\n\n<div class=\"wp-block-image is-style-zoooom\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" class=\"wp-image-6746  alignnone\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image-1024x169.png\" alt=\"\" width=\"1733\" height=\"286\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image-1024x169.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image-300x50.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image-768x127.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image-1536x254.png 1536w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/MicrosoftTeams-image.png 1863w\" sizes=\"(max-width: 1733px) 100vw, 1733px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n\n\n\n\n<p>&nbsp;<\/p>\n<p>This is decoded through the legitimate software <strong>certutil.exe,<\/strong> which generates the malicious payload by writing and starting the .dll file <strong>&#8220;2PCGV1.dll&#8221;<\/strong>:<\/p>\n<p><img decoding=\"async\" class=\"wp-image-6710 aligncenter\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-3.png\" alt=\"\" width=\"994\" height=\"91\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-3.png 732w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/image-3-300x27.png 300w\" sizes=\"(max-width: 994px) 100vw, 994px\" loading=\"lazy\" \/><\/p>\n<h3 class=\"wp-block-heading\">\u00a0<\/h3>\n<h3 class=\"wp-block-heading\">Malicious Payload: 2PCGV1.dll<\/h3>\n<p>\n\n\n\n<p>The DLL has been obfuscated through the addition of numerous <strong>mathematical operations<\/strong> that are useless, in order to <strong>slow down<\/strong> and <strong>complicate<\/strong> the analysis and identification of the operations performed by the malware.<\/p>\n\n\n\n<p>After careful observation, both through static and dynamic analysis, it was possible to identify the <strong>main function<\/strong>, which is decrypted in memory before execution.<\/p>\n\n\n\n<p>The functionalities of the malware are limited and simple. There are procedures for the <strong>exfiltration of data <\/strong>from <strong>Thunderbird and Outlook<\/strong> mail clients and subsequent sending via HTTP requests.<\/p>\n\n\n\n<p>Like many other Stealers, there are <strong>anti-analysis<\/strong> functionalities and checks on system localization.<\/p>\n\n\n\n<p>A characteristic of this sample is the verification of the keyboard layout: if the <strong>Italian, German, Spanish <\/strong>or <strong>Polish<\/strong> layout is not present, <strong><span style=\"text-decoration: underline\">the malware terminates its process<\/span><\/strong>.<\/p>\n\n\n\n<p>Once the information has been exfiltrated, depending on the recognized keyboard layout (it-IT, de-DE, es-ES, pl), the victim is shown an error message via a <strong>messagebox.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Defense Evasion<\/h3>\n\n\n\n<p>Checking for the presence of a <strong>debugger<\/strong> as an <strong>anti-analysis<\/strong> technique:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/DefenseEvasion_1.png\" alt=\"Checking for the presence of a debugger as an anti-analysis technique:\" class=\"wp-image-6723\" style=\"width:840px;height:1115px\" width=\"840\" height=\"1115\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/DefenseEvasion_1.png 556w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/DefenseEvasion_1-226x300.png 226w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<p>Identification of localization and creation of a <strong>mutex<\/strong> based on the machine name:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/mutex_2.png\" alt=\"Identification of localization and creation of a mutex based on the machine name:\" class=\"wp-image-6724\" style=\"width:839px;height:931px\" width=\"839\" height=\"931\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/mutex_2.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/mutex_2-270x300.png 270w\" sizes=\"(max-width: 839px) 100vw, 839px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Collection<\/h3>\n\n\n\n<p>Data exfiltration collected from <strong>Outlook<\/strong> and <strong>Thunderbird<\/strong>, and closure with a message:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/outlook_3.png\" alt=\"Data exfiltration collected from Outlook and Thunderbird, and closure with a message:\" class=\"wp-image-6725\" style=\"width:840px;height:938px\" width=\"840\" height=\"938\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/outlook_3.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/outlook_3-269x300.png 269w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<p>Data is collected from the registry keys: &#8220;<em><strong>IMAP Server<\/strong><\/em>&#8220;, &#8220;<strong><em>IMAP User<\/em><\/strong>&#8220;, &#8220;<strong><em>IMAP Password<\/em><\/strong>&#8220;. The value of &#8220;IMAP Password&#8221; is decrypted via \u201c<strong><em>CryptUnprotectedData<\/em><\/strong>\u201d before being sent to the server:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/imap_4.png\" alt=\"Data is collected from the registry keys: \u201cIMAP Server\u201d, \u201cIMAP User&quot;, &quot;IMAP Password&quot;. The value of &quot;IMAP Password&quot; is decrypted via \u201cCryptUnprotectedData\u201d before being sent to the server:\" class=\"wp-image-6726\" style=\"width:841px;height:833px\" width=\"841\" height=\"833\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/imap_4.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/imap_4-300x297.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/imap_4-150x150.png 150w\" sizes=\"(max-width: 841px) 100vw, 841px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<p>The second group of information collected is related to Thunderbird, these data are collected from the files <strong>%APPDATA%\\Thunderbird\\Profiles\\*\\logins.json<\/strong> and <strong>%APPDATA%\\Thunderbird\\Profiles\\*\\key4.db<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_5-1.png\" alt=\"\" class=\"wp-image-6728\" style=\"width:841px;height:884px\" width=\"841\" height=\"884\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_5-1.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_5-1-285x300.png 285w\" sizes=\"(max-width: 841px) 100vw, 841px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><br>Pt. 1<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_6.png\" alt=\"\" class=\"wp-image-6729\" style=\"width:840px;height:318px\" width=\"840\" height=\"318\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_6.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_6-300x113.png 300w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><br>Pt. 2<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_7.png\" alt=\"\" class=\"wp-image-6730\" style=\"width:840px;height:439px\" width=\"840\" height=\"439\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_7.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/thunderbird_7-300x157.png 300w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Pt. 3<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Exfiltration<\/h3>\n\n\n\n<p>The collected information is sent via POST method to the URL <strong>hxxp:\/\/91[.]215[.]85[.]209\/server.php<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_8.png\" alt=\"\" class=\"wp-image-6731\" style=\"width:840px;height:384px\" width=\"840\" height=\"384\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_8.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_8-300x137.png 300w\" sizes=\"(max-width: 840px) 100vw, 840px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_9-2.png\" alt=\"\" class=\"wp-image-6735\" style=\"width:841px;height:780px\" width=\"841\" height=\"780\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_9-2.png 645w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/exfiltration_9-2-300x278.png 300w\" sizes=\"(max-width: 841px) 100vw, 841px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Communication with the server<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Server_10.png\" alt=\"\" class=\"wp-image-6734\" style=\"width:839px;height:199px\" width=\"839\" height=\"199\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Server_10.png 644w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/07\/Server_10-300x71.png 300w\" sizes=\"(max-width: 839px) 100vw, 839px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p>From the information in our possession, this type of offensive campaign does not appear to be a targeted attack but rather a massive compromise activity against systems located in Europe.<\/p>\n\n\n\n<p>Despite this, it is a serious threat to the security of companies that, if not blocked promptly, could pose a <strong>tangible risk<\/strong> to the security of the victim.<\/p>\n\n\n\n<p>This type of compromise could lead to more serious consequences such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>exfiltration of personal data of the victim<\/li>\n\n\n\n<li>exfiltration of company data<\/li>\n\n\n\n<li>infrastructure compromises<\/li>\n\n\n\n<li>Ransomware attacks<\/li>\n<\/ul>\n\n\n\n<p>Given the nature of the malware, the concrete risk is that of <strong>compromising Outlook accounts <\/strong>linked to the <strong>company domain<\/strong> and consequently an <strong>access to the system<\/strong>, starting point for more advanced offensive activities.<\/p>\n\n\n\n<p>We believe that StrelaStealer is a Malware that will create greater impacts against business and non-systems located in Europe.<\/p>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">YARA Rules<\/h2>\n\n\n\n<p>Fortgale has developed the following <em><strong>Yara rule<\/strong><\/em>:<\/p>\n\n\n<div style=\"font-family: monospace;padding: 1.0pt 4.0pt 1.0pt 4.0pt;background: whitesmoke\">\n<div>\n<div><span style=\"color: #0000ff\">rule<\/span> my_rule {<\/div>\n<div>\u00a0 \u00a0 <span style=\"color: #0000ff\">meta:<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 Author = <span style=\"color: #993300\">&#8220;Fortgale&#8221;<\/span><\/div>\n<div>\u00a0 \u00a0<\/div>\n<div>\u00a0 \u00a0 <span style=\"color: #0000ff\">strings:<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $xor_string_strela = <span style=\"color: #993300\">&#8220;strela&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $xor_string_uuid = <span style=\"color: #993300\">\/[a-z0-9]{8}\\-[a-z0-9]{4}\\-[a-z0-9]{4}\\-[a-z0-9]{4}\\-[a-z0-9]{12}\/<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<\/p>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $uri = <span style=\"color: #993300\">&#8220;\/server.php&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $user_agent = <span style=\"color: #993300\">&#8220;Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.113 Safari\/537.36&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $msg_pl = <span style=\"color: #008000\">{<\/span><span style=\"color: #993300\">50 00 6c 00 69 00 6b 00 20 00 6a 00 65 00 73 00 74 00 20 00 75 00 73 00 7a 00 6b 00 6f 00 64 00 7a 00 6f 00 6e 00 79 00 20 00 i nie mo|e zosta| uruchomiony.<\/span><span style=\"color: #008000\">}<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $msg_it = <span style=\"color: #339966\">{<\/span><span style=\"color: #993300\">Il file \u00e8 danneggiato e non pu\u00f2 essere eseguito.<\/span><span style=\"color: #008000\">}<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $msg_es = <span style=\"color: #008000\">{<\/span><span style=\"color: #993300\">El archivo est\u00e1 da\u00f1ado y no se puede ejecutar.<\/span><span style=\"color: #339966\">}<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $msg_de = <span style=\"color: #339966\">{<\/span><span style=\"color: #993300\">Die Datei ist besch\u00e4digt und kann nicht ausgef\u00fchrt werden.<\/span><span style=\"color: #339966\">}<\/span><\/div>\n<\/p>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $discovery_str1 = <span style=\"color: #993300\">&#8220;%s%s\\\\key4.db&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $discovery_str2 = <span style=\"color: #993300\">&#8220;%s%s\\\\logins.json&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $discovery_str3 = <span style=\"color: #993300\">&#8220;\\\\Thunderbird\\\\Profiles\\\\&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 $discovery_str4 = <span style=\"color: #993300\">&#8220;SOFTWARE\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\&#8221;<\/span> <span style=\"color: #0000ff\">ascii wide<\/span><\/div>\n<\/p>\n<div>\u00a0 \u00a0 <span style=\"color: #0000ff\">condition:<\/span><\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 any of ($msg_*) and any of ($discovery_str*) and any of ($uri, $user_agent, $xor_string_strela, $xor_string_uuid)<\/div>\n<\/div>\n<\/div>\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-attack-patterns\">Attack Patterns<\/h2>\n\n\n\n<p>Mapping of <strong>Tactics, Techniques and Procedures (TTPs)<\/strong> used to perform the attack.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>CODE<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>NAME<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>DESCRIPTION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>DISCOVERY<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1518<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Software Discovery<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1083<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">File and Directory Discovery<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1012<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Query Registry<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1426<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">System Information Discovery<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>EXECUTION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1059.003<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Windows Command Shell<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1059.007<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">JavaScript<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may abuse various implementations of JavaScript for execution. JavaScript is a platform-independent scripting language commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>DEFENSE EVASION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1027<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Obfuscated Files or Information<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1218.011<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">RunDLL32<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1140<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Deobfuscate\/Decode Files or Information<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may use&nbsp;Obfuscated Files or Information&nbsp;to hide artifacts of an intrusion from analysis.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1622<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Debugger Evasion<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may employ various means to detect and avoid debuggers.&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>INITIAL ACCESS<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1566.001<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Spearphishing Attachment<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>COLLECTION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1560<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Archive Collected Data<\/td><td class=\"has-text-align-left\" data-align=\"left\">An adversary may compress and\/or encrypt data that is collected prior to exfiltration.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1119<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Automated Collection<\/td><td class=\"has-text-align-left\" data-align=\"left\">Once established within a system or network, an adversary may use automated techniques for collecting internal data.&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1005<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Data from Local System<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1114<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Email Collection<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries.&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>EXFILTRATION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1041<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Exfiltration Over C2 Channel<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may steal data by exfiltrating it over an existing command and control channel.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div class=\"wp-block-spacer\" style=\"height: 100px\" aria-hidden=\"true\">\u00a0<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise-ioc\">Indicators of Compromise (IOC)<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>INFO<\/strong><\/td><td><strong>TYPE<\/strong><\/td><td><strong>Value<\/strong><\/td><\/tr><tr><td><strong>IOZN9N.bat<\/strong><\/td><td>file BAT<\/td><td>7aa255285fcff60772086f75acd4e2e6c0a09a1fab94be32a705f550287c3dc2<\/td><\/tr><tr><td><strong>2PCGV1.dll<\/strong><\/td><td>file DLL<\/td><td>90b124755902204fa4b5ffd3cb6b1c334de6aca39b9a3bbc85e50b46a6b7a342<\/td><\/tr><tr><td><strong>8HFZVO<\/strong><\/td><td>text file<\/td><td>210d530ce66b48d4e643ca7fc9211498cd24c2b74e202bacd65ae34ec9bcf938<\/td><\/tr><tr><td><strong>Exfiltr. Server<\/strong><\/td><td>URL<\/td><td>hxxp:\/\/91[.]215[.]85[.]209\/server.php<\/td><\/tr><tr><td><strong>Exfiltr. Server<\/strong><\/td><td>IP Add.<\/td><td>91[.]215[.]85[.]209<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Fortgale has identified an offensive campaign targeting Italian business systems, carried out via malicious email containing the StrelaStealer malware. During the compromise, several techniques are observed including: Its purpose is usually to collect information about Outlook and ThunderBird accounts, as also confirmed by our technical analysis. The attention of these Threat Actors is focusing on [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":6715,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2483],"tags":[478],"class_list":["post-6950","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-strelastealer"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=6950"}],"version-history":[{"count":13,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6950\/revisions"}],"predecessor-version":[{"id":7210,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/6950\/revisions\/7210"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/6715"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=6950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=6950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=6950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}