Cybersecurity researchers have detected a brand new wave of phishing assaults that goal to ship an ever-evolving data stealer known as StrelaStealer.
The campaigns influence greater than 100 organizations within the E.U. and the U.S., Palo Alto Networks Unit 42 researchers mentioned in a brand new report revealed at this time.
“These campaigns come within the type of spam emails with attachments that ultimately launch the StrelaStealer’s DLL payload,” the corporate mentioned in a report revealed at this time.
“In an try to evade detection, attackers change the preliminary electronic mail attachment file format from one marketing campaign to the subsequent, to forestall detection from the beforehand generated signature or patterns.”
First disclosed in November 2022, StrelaStealer is provided to siphon electronic mail login knowledge from well-known electronic mail shoppers and exfiltrate them to an attacker-controlled server.
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 focusing on excessive tech, finance, skilled and authorized, manufacturing, authorities, power, insurance coverage, and development sectors within the E.U. and the U.S.
These assaults additionally goal to ship a brand new variant of the stealer that packs in higher obfuscation and anti-analysis methods, whereas being propagated by way of invoice-themed emails bearing ZIP attachments, marking a shift from ISO information.
Current inside the ZIP archives is a JavaScript file that drops a batch file, which, in flip, launches the stealer DLL payload utilizing rundll32.exe, a professional Home windows part answerable for operating 32-bit dynamic-link libraries.
The stealer malware additionally depends on a bag of obfuscation methods to render evaluation tough in sandboxed environments.
“With every new wave of electronic mail campaigns, risk actors replace each the e-mail attachment, which initiates the an infection chain, and the DLL payload itself,” the researchers mentioned.
The disclosure comes as Broadcom-owned Symantec revealed that pretend installers for well-known purposes or cracked software program hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware often known as Stealc.
Phishing campaigns have additionally been noticed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by the use of a cryptors-as-a-service (CaaS) known as AceCryptor, per ESET.
“Through the second half of [2023], Rescoms grew to become probably the most prevalent malware household packed by AceCryptor,” the cybersecurity agency mentioned, citing telemetry knowledge. “Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia.”
Different outstanding off-the-shelf malware packed inside AceCryptor in H2 2023 embrace SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is price noting that many of those malware strains have additionally been disseminated by way of PrivateLoader.
One other social engineering rip-off noticed by Secureworks Counter Risk Unit (CTU) has been discovered to focus on people in search of details about not too long ago deceased people on engines like google with pretend obituary notices hosted on bogus web sites, driving site visitors to the websites by search engine marketing (search engine marketing) poisoning as a way to finally push adware and different undesirable applications.
“Guests to those websites are redirected to e-dating or grownup leisure web sites or are instantly introduced with CAPTCHA prompts that set up net push notifications or popup adverts when clicked,” the corporate mentioned.
“The notifications show false virus alert warnings from well-known antivirus purposes like McAfee and Home windows Defender, they usually persist within the browser even when the sufferer clicks one of many buttons.”
“The buttons hyperlink to professional touchdown pages for subscription-based antivirus software program applications, and an affiliate ID embedded within the hyperlink rewards risk actors for brand new subscriptions or renewals.”
Whereas the exercise is at present restricted to filling fraudsters’ coffers by way of affiliate applications, the assault chains might be simply repurposed to ship data stealers and different malicious applications.
The event additionally follows the invention a brand new exercise cluster tracked as Fluffy Wolf that is capitalizing on phishing emails containing an executable attachment to ship a cocktail of threats, comparable to MetaStealer, Warzone RAT, XMRig miner, and a professional distant desktop software known as Distant Utilities.
The marketing campaign is an indication that even unskilled risk actors can leverage malware-as-a-service (MaaS) schemes to conduct profitable assaults at scale and plunder delicate data, which might then be monetized additional for revenue.
“Though mediocre when it comes to technical expertise, these risk actors obtain their objectives through the use of simply two units of instruments: professional distant entry providers and cheap malware,” BI.ZONE mentioned.
