Strela Stealer Malware Attacks Target Outlook, Thunderbird Credentials

Researchers are warning of an ongoing campaign targeting victims in Spain, Germany and Ukraine, which delivers the Strela Stealer malware via phishing emails that contain actual invoice notifications. This known information stealer extracts Microsoft Outlook and Mozilla Thunderbird credentials, which are then apparently used to harvest victims’ legitimate emails for use in future attacks. 

“The continuous operational pace of Hive0145’s campaigns highlights an increased risk to potential victims across Europe,” said researchers with IBM X-Force in a Tuesday post.

Key Details: 

• The attack starts with phishing emails containing invoice notifications, which are the actual emails stolen from companies in the financial, technology, manufacturing, media and e-commerce industries

• When victims load the attached file, it kicks off an infection chain that leads to Strela Stealer 

• Researchers attributed the attacks to a group they call Hive0145, which is a financially motivated initial access broker that has been active since 2022

The Background: Researchers with Palo Alto Networks earlier this year reported multiple large-scale email campaigns spreading Strela Stealer and impacting over 100 organizations across the EU and U.S. in early 2024. This week’s X-Force research revealed how the campaign has evolved over the past few months. In July, Hive0145 started using legitimate emails in its phishing attacks, and researchers said the group likely collected these emails using previously compromised credentials from past campaigns. In November, Hive0145 began targeting Ukraine with stolen invoice emails. 

Why It Matters: Information stealers aren’t new in the threat landscape, but as Strela Stealer shows us, threat actors continue to find success in utilizing the credentials stolen through infostealer campaigns in order to launch new large-scale attacks. This past year, we saw the ramifications of the growing infostealer marketplace firsthand after threat actors used credentials stolen by infostealers to set the stage for attacks hitting Snowflake customers, for instance.

The Upshot: Threat actors are continuing to adopt new tactics for this attack - over the last 18 months, Hive0145 has tested various techniques to improve the malware’s infection chain. At the same time, campaigns are continuing to increase in volume. Researchers warned that they started seeing weekly campaigns as of Oct. 17. 

“The wide variety of industries emulated by Hive0145’s email campaigns increases the potential risk of being targeted for commercial organizations throughout Europe,” said X-Force researchers. “Of note, organizations in Italian, Spanish, German, or Ukrainian-speaking regions may be at more immediate risk of a Hive0145 campaign.”