One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8525596 |
| Date de publication | 2024-06-25 21:14:40 (vue: 2024-06-25 22:07:38) |
| Titre | Resurgence de Strelastealer: suivi d'un voleur d'identification axé sur JavaScript ciblant l'Europe StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe |
| Texte | #### Targeted Geolocations - Poland - Spain - Italy - Germany ## Snapshot The SonicWall Capture Labs threat research team has been monitoring an increase in the spread of StrelaStealer, an information stealer (infostealer) malware that first emerged in 2022. Read Microsoft\'s write-up on information stealers [here](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6). ## Description In mid-June, there was a notable surge in JavaScript spreading StrelaStealer, which targets Outlook and Thunderbird email credentials. StrelaStealer\'s infection chain remains similar to previous versions but now includes checks to avoid infecting Russian systems. Its targets are primarily in Poland, Spain, Italy, and Germany. The initial infection vector is an obfuscated JavaScript file sent via email in archive files. This file drops a copy in the user\'s directory with a random name and then executes a batch file to check the system language, excluding Russian users by detecting the OSLanguage code "1049". If non-Russian, a base64-encoded PE file is dropped, decoded, and a DLL is created and executed using regsvr32.exe. The DLL\'s obfuscated code decrypts the actual PE file and injects it into the current process. The stealer dynamically loads necessary APIs and checks the keyboard layout to determine the system\'s geographic location. It targets languages such as Spanish, Basque, Polish, Catalan, Italian, and German. The malware starts its stealing functionality with Mozilla Thunderbird, looking for specific files and sending data to a designated IP address. It also targets Outlook by retrieving information from specific registry keys and sending this data to the same IP. ## Additional Analysis OSINT reporting about StrelaStealer indicates that its operators tend to initiate large-scale campaigns targeting organizations in specific geographic regions or countries. Initially, the malware primarily targeted Spanish-speaking users, but has since evolved to target users speaking English and other European languages. According to Palo Alto Network\'s 2024 [report](https://unit42.paloaltonetworks.com/strelastealer-campaign/) on StrelaStealer, the malware\'s main goal, to steal email login data from email clients, has not changed. However, the malware\'s infection chain and packer have been modified to evade detection and make analysis more difficult. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - *[Trojan:JS/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/StrelaStealer!MSR&threatId=-2147061639)* - *[Trojan:Win64/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/StrelaStealer.GPAX!MTB&threatId=-2147056969)* - *[Trojan:Win32/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/StrelaStealer.ASS!MTB&threatId=-2147054947)* ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly a |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### 1049 2022 2024 2147054947 2147056969 2147061639 365 365/security/defender 365/security/office about accessed according accounts acquired actual additional address advice: against age all also alto analysis antivirus apis app apps archive are article ass attachments attack attacker authentication authenticator auto avoid base64 based basque batch been block blocks browser browsers bullet but campaign campaign/ campaigns can capture card catalan chain changed check checks classes click clicking clients cloud code com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft com/strelastealer common components configure copy countries cover coverage created credential credentials criterion current customers data decoded decrypts defender delete delivered deployment description designated detecting detection detections/hunting detects determine devices different difficult directory directory/authentication/concept directory/authentication/how directory/identity dll driven dropped drops due dynamically early edge email emails emerged employees enable enabled encoded encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce english enhanced ensure enterprise entire equivalent europe europe/ european evade even evolved evolving example excluded excluding exe executable executed executes execution features fido file files filtering first following from functionality geographic geolocations german germany goal gpax group guidance has have hello here host hour however https://blog https://learn https://security https://unit42 https://www identifies identity impact inbound includes including increase indicates infecting infection infections inforamation information infostealer infostealers initial initially initiate injects intelligence intrusions italian italy its javascript june keyboard keys labs language languages large layout learndoc learndoc#block learning like links list loads location locations login looking machine mail main majority make malicious malware malware: managed many match meet methods mfa microsoft mid mitigation mitigations mode modified monitored monitoring more mozilla msr&threatid= mtb&threatid= name name=trojan:js/strelastealer name=trojan:win32/strelastealer name=trojan:win64/strelastealer necessary network networks new newly non not notable now number obfuscated ocid=magicti off offer office operators organizations osint oslanguage other outlook overview packer palo paloaltonetworks password passwordless passwords personal phishing phones points poland policies policy polish polymorphic possible potentially prevalence prevent previous primarily process product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prompt protection protection/howto protections pua purge queries random ransomware rapidly read recheck recommendations recommends reduce reduction refer reference references regions registry regsvr32 remains remind remove report reporting require requires research response resurgence resurgence: retrieving rules running russian safe same scale scam scripts secured security/defender security/safe security/zero sending sent settings should sight similar since sites smartscreen snapshot sonicwall spain spam spanish speaking specific spoofed spread spreading starts status steal stealer stealers stealing stop stored strelastealer strictly succeeded such support surface surge sweeping sync#sync syncing system systems target targeted targeting targets team techniques tend theft then threat threats thunderbird times tools tracking trojan:js/strelastealer trojan:win32/strelastealer trojan:win64/strelastealer trusted turn typed unknown unless unwanted us/2024/06/strelastealer us/wdsi/threats/malware use used user users uses using variants vaults vector versions web websites when where which windows workplace write your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-06-26 19:07:50 | (Déjà vu) Fickle Stealer Distributed via Multiple Attack Chain (lien direct) | ## Instantané Fortiguard Labs Menace Research a identifié un voleur basé sur la rouille appelée Sceneer Fickle, observé en mai 2024. ## Description Ce voleur est distribué à l'aide de diverses méthodes telles que le dropper VBA, le téléchargeur VBA, le téléchargeur de liens et le téléchargeur exécutable.La chaîne d'attaque est divisée en trois étapes: livraison, travail préparatoire et charge utile des emballeurs et du voleur. Le travail préparatoire consiste à contourner le contrôle des comptes d'utilisateurs (UAC) et à exécuter le voleur capricieux, à créer une nouvelle tâche pour exécuter le moteur.PS1 après 15 minutes, et à envoyer des messages au bot télégramme de l'attaquant \\.De plus, Fickle Stealer est protégé par un packer déguisé en exécutable légal, ce qui rend difficile la détection en utilisant certaines règles de détection.Le malware laisse tomber une copie de lui-même dans le dossier temporaire avec un nom aléatoire, exécute la copie et termine le voleur en cours d'exécution.Il communique ensuite avec le serveur pour envoyer des données volées, y compris les informations de victime, les applications cibles et les mots clés et le contenu de fichiers spécifique au format JSON.Le serveur répond par une liste cible cryptée à l'aide d'un algorithme RC4, et le malware traite diverses cibles telles que les portefeuilles crypto, les plugins, les extensions de fichiers, les chemins partiels, les applications, les navigateurs de moteur Gecko et les navigateurs à base de chrome.Enfin, le malware envoie une capture d'écran au serveur et se supprime.Fickle Stealer est conçu pour recevoir une liste cible du serveur, le rendant plus flexible, et est observé comme ayant mis à jour des variantes, indiquant un développement continu. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact des menaces d'information sur les voleurs. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-forzice-365?ocid=Magicti_TA_Learnddoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [delete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_TA_Learndoc) en réponse à l'intelligence des menaces nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/azur | Ransomware Spam Malware Tool Threat | ★★★ |