Cybersecurity researchers have discovered a new wave of phishing attacks aimed at delivering an evolving information-stealing program called Stella Stealer.
The campaigns affected more than 100 organizations in the European Union and the United States, researchers at Palo Alto Networks Unit 42 said in a new report released today.
“These campaigns come in the form of spam emails with attachments that ultimately launch StrelaStealer’s DLL payload,” the company said in a report released today.
“To evade detection, attackers change the initial email attachment file format from one campaign to the next to prevent detection via previously generated signatures or patterns.”
StrelaStealer, first disclosed in November 2022, is capable of stealing email login data from well-known email clients and transmitting it to attacker-controlled servers.
Since then, two large-scale campaigns involving the malware were detected in November 2023 and January 2024, respectively, targeting the high-tech, financial, professional and legal, manufacturing, government, energy, insurance, and construction industries in the EU and the United States
The attacks also aim to deliver a new stealth variant that incorporates better obfuscation and anti-analysis techniques while being spread via invoice-themed emails with ZIP attachments, marking a shift in ISO files. .
The ZIP file contains a JavaScript file that drops a batch file that launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic link libraries.
Stealer malware also relies on a series of obfuscation techniques that make analysis difficult in a sandbox environment.
“With each new wave of email campaigns, threat actors update the email attachments that launch the infection chain and the DLL payload itself,” the researchers said.
Symantec, a unit of Broadcom, revealed that fake installers of well-known applications or cracked software hosted on GitHub, Mega or Dropbox are serving as conduits for stolen malware called Stealc.
According to ESET’s observations, phishing campaigns also deliver Revenge RAT and Remcos RAT (also known as Rescoms), the latter of which is delivered via a cryptocurrency-as-a-service (CaaS) called AceCryptor.
“During the second half of the year [2023]”Rescoms became the most popular malware family packaged by AceCryptor. More than half of the attempts occurred in Poland, followed by Serbia, Spain, Bulgaria and Slovakia,” the cybersecurity firm said, citing telemetry data.
Other notable off-the-shelf malware packaged in AceCryptor in the second half of 2023 included SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It is worth noting that many malware strains are also spread through PrivateLoader.
Another social engineering scam uncovered by the Secureworks Counter Threat Unit (CTU) targets individuals seeking information about recently deceased individuals on search engines, hosting fake obituaries on fake websites, and increasing website traffic through search engine optimization (SEO) poisoning. Eventually pushing adware and other unwanted programs.
“Visitors to these sites are redirected to e-dating or adult entertainment sites or are immediately prompted with a verification code, which upon click installs a web push notification or pop-up ad,” the company said.
“These notifications display fake virus alert warnings from well-known antivirus applications such as McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons.”
“These buttons link to legitimate login pages for subscription-based antivirus software programs, and affiliate IDs embedded in the hyperlinks reward the threat actors with new or renewed subscriptions.”
While the campaign is currently limited to filling fraudsters’ coffers via affiliate programs, the attack chain could easily be repurposed to deliver information stealers and other malicious programs.
This development follows the discovery of a new active cluster called Fluffy Wolf, which utilizes phishing emails containing executable attachments to deliver multiple threats such as MetaStealer, Warzone RAT, XMRig miner and Remote Utilities legitimate remote desktop tool.
The campaign demonstrates that even unskilled threat actors can leverage malware-as-a-service (MaaS) programs to successfully conduct large-scale attacks and loot sensitive information, which can then be further monetized for profit.
“Despite the mediocre technical skills of these threat actors, they used only two sets of tools to achieve their goals: legitimate remote access services and cheap malware,” BI.ZONE said.
