Cybersecurity researchers have detected a new wave of phishing attacks targeting an ever-evolving group of information thieves. Strela Stealer.
Palo Alto Networks Unit 42 researchers said in a new report released today that the campaign affected more than 100 organizations in the European Union and the United States.
Researchers Benjamin Chang, Gautam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothatthri said, “These campaigns come in the form of spam emails with attachments and end up with StrelaStealer's DLL payload. “I will launch it.''
“To evade detection, attackers change the format of the initial email attachment for each campaign, preventing detection by previously generated signatures and patterns.”
First disclosed in November 2022, StrelaStealer has the ability to siphon email login data from popular email clients and exfiltrate the data to attacker-controlled servers.
Since then, there have been two large-scale attacks involving this malware in November 2023 and January 2024 targeting the high-tech, financial, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the EU and US. campaign has been detected.
These attacks also aim to deliver new variants of the stealer that incorporate better obfuscation and anti-analysis techniques, while also targeting invoices with ZIP attachments, marking a shift away from ISO files. Propagated via email.
Inside the ZIP archive is a JavaScript file that drops the batch file. This file launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic link libraries.
This stealing malware also relies on a series of obfuscation tricks to make it difficult to analyze in sandbox environments.
“With each new wave of email campaigns, the attackers update both the email attachments and the DLL payloads themselves that start the infection chain,” the researchers said.
The disclosure comes as Symantec, a Broadcom company, reveals that fake installers for popular applications and cracked software hosted on GitHub, Mega, and Dropbox are acting as a conduit for the stealing malware known as Stealc. This was done in response to the
According to ESET, phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (also known as Rescoms), the latter delivered via Encryption as a Service (CaaS) called AceCryptor.
“In the second half, [2023]Rescoms became the most prevalent malware family packed with AceCryptor,” the cybersecurity firm said, citing telemetry data, adding, “More than half of these attempts occurred in Poland, followed by Serbia, Spain, It occurred in Bulgaria and Slovakia.”
Other notable off-the-shelf malware packed inside AceCryptor in the second half of 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is worth noting that many of these malware strains are also spread via PrivateLoader.
Another social engineering scam observed by Secureworks uses fake obituary notices hosted on fake websites to target individuals seeking information about recently deceased individuals on search engines, ultimately pushing adware. Search Engine Optimization (SEO) has been found to drive traffic to your site through poisoning. and other unwanted programs.
“Visitors to these sites are redirected to electronic dating sites, adult entertainment sites, or are immediately presented with a CAPTCHA prompt that installs a web push notification or pop-up ad upon clicking,” the company said.
“Notifications display false virus alerts from well-known antivirus applications such as McAfee and Windows Defender, and they continue to appear in the browser even if the victim clicks on one of the buttons.”
“The button links to a legitimate landing page for a subscription-based antivirus software program, and the affiliate ID embedded in the hyperlink rewards the threat actor with a new subscription or renewal.”
While counterfeiting is currently limited to filling scammers' coffers through antivirus software affiliate programs, the attack chain can easily be reused to deliver information theft or other malicious programs. may pose a stronger threat.
This development marks a new activity tracked as Fluffy Wolf that utilizes phishing emails containing executable attachments that deliver an array of threats including MetaStealer, Warzone RAT, XMRig miner, and a legitimate remote desktop tool called Remote Utilities. It also continues with the discovery of clusters.
This campaign shows that even unsophisticated attackers can leverage malware-as-a-service (MaaS) schemes to successfully carry out large-scale attacks, loot sensitive information, and subsequently monetize it further. is shown.
“Despite their mediocre technical skills, these attackers use only two sets of tools to accomplish their goals: legitimate remote access services and inexpensive malware,” BI.ZONE said. Masu.
