Obfuscated JavaScript and WebDAV: Strela Stealer’s New Tools for Credential Theft

by do son · November 4, 2024

Phishing Email | Image: CRIL

A recent report from Cyble Research and Intelligence Labs (CRIL) highlights a sophisticated phishing campaign deploying Strela Stealer, a malware designed to exfiltrate sensitive data from compromised systems. This campaign is focused on Central and Southwestern Europe, with specific targeting aimed at German and Spanish-speaking regions. Strela Stealer has evolved to use advanced techniques, including WebDAV-based execution, to evade detection and enhance data theft capabilities.

The campaign uses spear-phishing emails crafted to look like invoice notifications, enticing victims to open ZIP file attachments. CRIL notes that “the phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files,” which are specifically designed to evade detection by common security tools. Once the victim opens the ZIP file, they encounter a JavaScript file that, when executed, decodes a PowerShell command to load the Strela Stealer payload from a remote WebDAV server.

JavaScript File | Image: CRIL

The use of WebDAV for delivering the malware is a key tactic in this campaign. By downloading and executing the malicious DLL payload directly from a WebDAV server, Strela Stealer avoids writing the payload to disk, a technique that effectively bypasses security products. CRIL reports, “This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using ‘rundll32.exe’”. This approach complicates detection and prevents many endpoint protection solutions from identifying the malware.

Once executed, Strela Stealer focuses on stealing email credentials from Microsoft Outlook and Mozilla Thunderbird, two of the most widely used email clients. It extracts usernames, passwords, and server configurations, sending this information to a command-and-control (C2) server. In the case of Thunderbird, the malware scans for profiles and collects the “logins.json” and “key4.db” files, which store encrypted user credentials. The data is then encrypted using a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793,” before being sent to the C2 server.

In addition to email credentials, Strela Stealer performs reconnaissance by gathering system information through the “systeminfo” command. This data, along with a list of sensitive filenames on the system, is exfiltrated to the C2 server, allowing attackers to map the victim’s file structure for potential further exploitation.

Strela Stealer employs locale-based targeting to refine its focus on specific regions. It checks the victim’s system locale to determine if it matches German (0407), Spanish (0C0A), or Basque (042D) before proceeding with its data theft operations. If the locale does not match these identifiers, the malware halts execution, demonstrating the attackers’ intent to target German and Spanish-speaking regions specifically.

The Strela Stealer campaign exemplifies the growing sophistication of phishing campaigns, using stealthy techniques like WebDAV-based execution and obfuscation to bypass security defenses. As CRIL warns, “the recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques,” highlighting the need for vigilant cybersecurity practices to counteract such targeted attacks.