A fresh wave of phishing attacks has been uncovered by cybersecurity researchers, targeting more than 100 organizations across the European Union (EU) and the United States (US). Palo Alto Networks Unit 42 researchers unveiled this finding in a report released today.
According to the researchers—Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri—the attacks arrive in the form of spam emails with attachments, which ultimately deploy StrelaStealer's DLL payload.
The attackers have been switching the file format of the email attachments from one campaign to another to evade detection by altering signatures or patterns generated from previous attacks.
Initially identified in November 2022, StrelaStealer is designed to extract email login credentials from popular email clients and send them to a server controlled by the attackers. Since then, two large-scale campaigns involving the malware have been observed, one in November 2023 and another in January 2024, targeting various sectors such as high tech, finance, professional services, manufacturing, government, energy, insurance, and construction.
The latest variant of StrelaStealer employs improved obfuscation and anti-analysis techniques. These attacks are now being propagated through emails with invoice themes and ZIP attachments, a departure from previous ISO files.
Inside the ZIP archives lies a JavaScript file that drops a batch file, which then executes the StrelaStealer DLL payload using rundll32.exe, a legitimate Windows component responsible for executing 32-bit dynamic-link libraries.
To evade detection in sandboxed environments, the malware employs various obfuscation techniques.
"With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself," the researchers noted.
Meanwhile, Symantec, a subsidiary of Broadcom, has disclosed that fake installers for popular applications or cracked software hosted on platforms like GitHub, Mega, or Dropbox are being exploited to distribute Stealc, another information-stealing malware.
Additionally, phishing campaigns have been observed distributing Revenge RAT and Remcos RAT, with the latter being delivered via a cryptor-as-a-service (CaaS) known as AceCryptor, according to ESET.
Furthermore, Secureworks has identified a social engineering scam targeting individuals searching for information about deceased individuals on search engines. These scams lead victims to fake obituary notices on bogus websites, which then redirect them to e-dating or adult entertainment websites, or present false virus alert warnings to install web push notifications or popup ads.
The emergence of these threats underscores the increasing use of malware-as-a-service (MaaS) schemes by threat actors, even those with limited technical capabilities, to carry out successful attacks on a large scale and monetize sensitive information for profit.
