Cybersecurity researchers have detected a brand new wave of phishing assaults that intention to ship an ever-evolving info stealer known as StrelaStealer.
The campaigns affect greater than 100 organizations within the E.U. and the U.S., Palo Alto Networks Unit 42 researchers stated in a brand new report revealed in the present day.
“These campaigns come within the type of spam emails with attachments that ultimately launch the StrelaStealer’s DLL payload,” the corporate stated in a report revealed in the present day.
“In an try and evade detection, attackers change the preliminary e mail attachment file format from one marketing campaign to the following, to stop detection from the beforehand generated signature or patterns.”
First disclosed in November 2022, StrelaStealer is provided to siphon e mail login information from well-known e mail purchasers and exfiltrate them to an attacker-controlled server.
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 focusing on excessive tech, finance, skilled and authorized, manufacturing, authorities, vitality, insurance coverage, and development sectors within the E.U. and the U.S.
These assaults additionally intention to ship a brand new variant of the stealer that packs in higher obfuscation and anti-analysis strategies, whereas being propagated through invoice-themed emails bearing ZIP attachments, marking a shift from ISO recordsdata.
Current inside the ZIP archives is a JavaScript file that drops a batch file, which, in flip, launches the stealer DLL payload utilizing rundll32.exe, a reputable Home windows part chargeable for operating 32-bit dynamic-link libraries.
The stealer malware additionally depends on a bag of obfuscation tips to render evaluation tough in sandboxed environments.
“With every new wave of e mail campaigns, risk actors replace each the e-mail attachment, which initiates the an infection chain, and the DLL payload itself,” the researchers stated.
The disclosure comes as Broadcom-owned Symantec revealed that pretend installers for well-known functions or cracked software program hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware often known as Stealc.
Phishing campaigns have additionally been noticed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by the use of a cryptors-as-a-service (CaaS) known as AceCryptor, per ESET.
“In the course of the second half of [2023], Rescoms grew to become essentially the most prevalent malware household packed by AceCryptor,” the cybersecurity agency stated, citing telemetry information. “Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia.”
Different distinguished off-the-shelf malware packed inside AceCryptor in H2 2023 embrace SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is value noting that many of those malware strains have additionally been disseminated through PrivateLoader.
One other social engineering rip-off noticed by Secureworks Counter Risk Unit (CTU) has been discovered to focus on people looking for details about not too long ago deceased people on serps with pretend obituary notices hosted on bogus web sites, driving site visitors to the websites by way of search engine marketing (website positioning) poisoning with a purpose to in the end push adware and different undesirable applications.
“Guests to those websites are redirected to e-dating or grownup leisure web sites or are instantly introduced with CAPTCHA prompts that set up net push notifications or popup advertisements when clicked,” the corporate stated.
“The notifications show false virus alert warnings from well-known antivirus functions like McAfee and Home windows Defender, they usually persist within the browser even when the sufferer clicks one of many buttons.”
“The buttons hyperlink to reputable touchdown pages for subscription-based antivirus software program applications, and an affiliate ID embedded within the hyperlink rewards risk actors for brand new subscriptions or renewals.”
Whereas the exercise is at present restricted to filling fraudsters’ coffers through affiliate applications, the assault chains might be simply repurposed to ship info stealers and different malicious applications.
The event additionally follows the invention a brand new exercise cluster tracked as Fluffy Wolf that is capitalizing on phishing emails containing an executable attachment to ship a cocktail of threats, akin to MetaStealer, Warzone RAT, XMRig miner, and a reputable distant desktop device known as Distant Utilities.
The marketing campaign is an indication that even unskilled risk actors can leverage malware-as-a-service (MaaS) schemes to conduct profitable assaults at scale and plunder delicate info, which might then be monetized additional for revenue.
“Though mediocre when it comes to technical expertise, these risk actors obtain their targets through the use of simply two units of instruments: reputable distant entry companies and cheap malware,” BI.ZONE stated.
