Cybersecurity researchers have detected a brand new wave of phishing assaults that intention to ship an ever-evolving info stealer known as StrelaStealer.
The campaigns impression greater than 100 organizations within the E.U. and the U.S., Palo Alto Networks Unit 42 researchers mentioned in a brand new report revealed at the moment.
“These campaigns come within the type of spam emails with attachments that finally launch the StrelaStealer’s DLL payload,” the corporate mentioned in a report revealed at the moment.
“In an try to evade detection, attackers change the preliminary electronic mail attachment file format from one marketing campaign to the subsequent, to stop detection from the beforehand generated signature or patterns.”
First disclosed in November 2022, StrelaStealer is provided to siphon electronic mail login information from well-known electronic mail shoppers and exfiltrate them to an attacker-controlled server.
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 concentrating on excessive tech, finance, skilled and authorized, manufacturing, authorities, vitality, insurance coverage, and development sectors within the E.U. and the U.S.
These assaults additionally intention to ship a brand new variant of the stealer that packs in higher obfuscation and anti-analysis methods, whereas being propagated through invoice-themed emails bearing ZIP attachments, marking a shift from ISO information.
Current inside the ZIP archives is a JavaScript file that drops a batch file, which, in flip, launches the stealer DLL payload utilizing rundll32.exe, a respectable Home windows element accountable for operating 32-bit dynamic-link libraries.
The stealer malware additionally depends on a bag of obfuscation methods to render evaluation troublesome in sandboxed environments.
“With every new wave of electronic mail campaigns, risk actors replace each the e-mail attachment, which initiates the an infection chain, and the DLL payload itself,” the researchers mentioned.
The disclosure comes as Broadcom-owned Symantec revealed that faux installers for well-known functions or cracked software program hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware often known as Stealc.
Phishing campaigns have additionally been noticed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by way of a cryptors-as-a-service (CaaS) referred to as AceCryptor, per ESET.
“Throughout the second half of [2023], Rescoms grew to become essentially the most prevalent malware household packed by AceCryptor,” the cybersecurity agency mentioned, citing telemetry information. “Over half of those makes an attempt occurred in Poland, adopted by Serbia, Spain, Bulgaria, and Slovakia.”
Different outstanding off-the-shelf malware packed inside AceCryptor in H2 2023 embrace SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is value noting that many of those malware strains have additionally been disseminated through PrivateLoader.
One other social engineering rip-off noticed by Secureworks Counter Risk Unit (CTU) has been discovered to focus on people in search of details about just lately deceased people on search engines like google and yahoo with faux obituary notices hosted on bogus web sites, driving site visitors to the websites by means of SEO (website positioning) poisoning with a view to finally push adware and different undesirable applications.
“Guests to those websites are redirected to e-dating or grownup leisure web sites or are instantly introduced with CAPTCHA prompts that set up net push notifications or popup advertisements when clicked,” the corporate mentioned.
“The notifications show false virus alert warnings from well-known antivirus functions like McAfee and Home windows Defender, and so they persist within the browser even when the sufferer clicks one of many buttons.”
“The buttons hyperlink to respectable touchdown pages for subscription-based antivirus software program applications, and an affiliate ID embedded within the hyperlink rewards risk actors for brand new subscriptions or renewals.”
Whereas the exercise is at present restricted to filling fraudsters’ coffers through affiliate applications, the assault chains might be simply repurposed to ship info stealers and different malicious applications.
The event additionally follows the invention a brand new exercise cluster tracked as Fluffy Wolf that is capitalizing on phishing emails containing an executable attachment to ship a cocktail of threats, corresponding to MetaStealer, Warzone RAT, XMRig miner, and a respectable distant desktop instrument referred to as Distant Utilities.
The marketing campaign is an indication that even unskilled risk actors can leverage malware-as-a-service (MaaS) schemes to conduct profitable assaults at scale and plunder delicate info, which might then be monetized additional for revenue.
“Though mediocre by way of technical abilities, these risk actors obtain their objectives by utilizing simply two units of instruments: respectable distant entry providers and cheap malware,” BI.ZONE mentioned.
