Cybercriminals target victims in Spain, Germany, Ukraine with Strela Stealer malware

Avatar

Cybercriminals are targeting victims throughout Europe — primarily in Spain, Germany and Ukraine — in an ongoing information-stealing campaign, researchers have found.

The financially-motivated group tracked as Hive0145 has infected targets with Strela Stealer malware delivered through phishing emails disguised as legitimate invoice notifications. 

Although the group initially relied on fake invoices and receipts sent from fabricated accounts, they recently began weaponizing stolen emails from real entities in the financial, technology, manufacturing, media, e-commerce and other sectors, according to researchers at IBM X-Force, who analyzed the latest campaigns.

Strela Stealer is designed to extract user credentials stored in Microsoft and Mozilla email services. The malware has been in use since at least 2022, targeting organizations across Europe and the U.S. Hive0145 is believed to be the tool’s sole operator.

Over the past two years, the group has experimented with various techniques to improve the Strela Stealer infection chain, and its attacks have increased in volume, researchers said. 

Hive0145 likely uses stolen credentials for email fraud, such as tricking victims into sending money or sensitive information. It is also possible that the hackers may sell stolen emails to affiliates for further business email compromise.

Despite evolving techniques, Strela Stealer has changed little in functionality over the past two years, researchers said. In addition to targeting two email clients, the malware’s latest version also collects system information, retrieves a list of installed applications and checks the victim’s keyboard language to target only those using Spanish, German, Catalan, Polish, Italian, Basque or Ukrainian.

Researchers have not attributed Hive0145 to a specific country. Ukraine’s government previously reported an increase in financially-motivated cyberattacks conducted by unidentified hacker groups associated with Russia. Like Hive0145, the hackers primarily distributed malware through phishing campaigns, often using previously compromised email addresses.

CybercrimeNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Hungary confirms hack of defense procurement agency

Next Post

Malware being delivered by mail, warns Swiss cyber agency

Related Posts

Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now

Progress Software has released another round of updates to address six security flaws in WhatsUp Gold, including two critical vulnerabilities. The issues, the company said, have been resolved in version 24.0.1 released on September 20, 2024. The company has yet to release any details about what the flaws are other than listing their CVE identifiers - CVE-2024-46905 (CVSS score: 8.8) 
Avatar
Read More