In recent months, a notable wave of cyber-attacks has swept across Europe, orchestrated by the cybercriminal group known as Hive0145. This group, also referred to by various threat intelligence entities as a highly organised Advanced Persistent Threat (APT), has been delivering a specific strain of malware—Strela Stealer—to infiltrate and compromise systems. Targeting countries primarily including Spain, Germany, and Ukraine, Hive0145 has refined their methods of distribution, focusing on spear-phishing techniques that enable the infection of high-value targets. In this analysis, we’ll delve into the technical aspects of Hive0145’s operations, highlighting the evolving tactics used in delivering Strela Stealer, the structure and functionality of the malware itself, and the broader impact on organisations and individuals across Europe.

Hive0145’s campaign structure is unique in its evolution. Initially, the group used rudimentary phishing emails that appeared as routine business communications—fake invoices, receipts, and order confirmations. This low-level social engineering tactic relied on broad targeting, hoping for unsuspecting users to open attachments containing malicious payloads.

However, by mid-2024, Hive0145’s approach shifted to a more sophisticated form of phishing known as thread hijacking. In thread hijacking, rather than sending new, unsolicited messages, the group gained access to legitimate email accounts and inserted themselves into existing email threads. These ongoing conversations provided a veil of authenticity, increasing the likelihood of success. By leveraging previously hacked emails, Hive0145 could manipulate targets more effectively, making malicious attachments or links appear credible within an established communication. The phishing emails also adapted to mirror industry-specific language, targeting sectors such as finance, technology, and manufacturing, which rely heavily on email for daily operations.

Deep Dive into Strela Stealer Malware: Structure, Functions, and Capabilities

At the heart of Hive0145’s campaign lies Strela Stealer, an advanced credential-stealing malware specifically designed to target email credentials. The malware primarily focuses on extracting stored credentials from popular email clients, such as Microsoft Outlook and Mozilla Thunderbird.

Initial Infection Mechanism

Strela Stealer is often packaged within ZIP files attached to phishing emails. Inside the ZIP file, a JavaScript (.js) file is embedded, which acts as the initial downloader. When the user executes this file, it runs an obfuscated PowerShell command in the background.
This command is encoded using Base64, allowing it to evade basic detection mechanisms that typically flag suspicious PowerShell scripts. Once executed, the script retrieves a malicious Dynamic Link Library (DLL) file hosted on a WebDAV server controlled by the attackers.

Fileless Execution

One of the critical aspects of Strela Stealer is its fileless execution. The downloaded DLL does not save itself on the disk in a traditional sense; instead, it runs directly in memory. This tactic, commonly seen in advanced malware, allows it to bypass endpoint protection tools that scan for known file signatures. By running entirely in RAM, Strela Stealer remains invisible to many antivirus solutions.

Locale Detection and Targeting

After executing, Strela Stealer initiates a locale detection process. It checks the system’s keyboard layout and language settings to confirm that the user falls within its target regions, specifically focusing on Spanish, German, and Ukrainian locales. If the device meets the locale criteria, the malware proceeds with its primary operations; otherwise, it may self-terminate to reduce the likelihood of detection.

Credential Harvesting

Once active, Strela Stealer locates configuration files from email clients such as Outlook and Thunderbird. These configuration files store user credentials, which the malware extracts. This information includes usernames, passwords, server configurations, and potentially sensitive email data. The malware is equipped to bypass some of the typical encryption methods that secure these files, often leveraging system permissions granted through social engineering to access the files directly.

Exfiltration via Command and Control (C2) Infrastructure

After extracting the credentials, Strela Stealer uses an encrypted channel to transmit the stolen data to Hive0145’s Command and Control (C2) servers. The encryption is often a custom implementation, making detection more challenging for network-based monitoring solutions. In some instances, the malware uses common internet protocols, blending its activity with regular internet traffic, further complicating detection.

Hive0145’s Targeting Strategy and Geographic Focus

The geographical focus of Hive0145 has largely centred on Europe, with Spain, Germany, and Ukraine as primary targets. The group’s focus on these regions may be due to a combination of factors, including the higher adoption rates of specific email clients and language-specific vulnerabilities that make users more susceptible to phishing. Language nuances and cultural familiarity allow Hive0145 to craft emails that resonate well within these targeted regions, increasing their chances of a successful infiltration.

Furthermore, Hive0145’s choice of industries for its attacks—such as finance, technology, and e-commerce—reflects a preference for high-value targets. Credentials obtained from these sectors could provide the group with access to sensitive financial information, intellectual property, and proprietary data, amplifying the potential impact of each successful attack.

The Broader Impact and Risks

Strela Stealer’s capabilities allow Hive0145 to conduct business email compromise (BEC) attacks, wherein compromised email accounts are used to initiate fraudulent transactions or unauthorised data access. Once email credentials are stolen, attackers can impersonate employees or company officials, potentially leading to substantial financial and reputational damage. Beyond credential theft, Hive0145’s campaigns have the potential to disrupt business operations, as organisations are forced to divert resources to respond to and recover from these attacks.

Recommended Mitigation Measures

Given the evolving tactics and advanced techniques employed by Hive0145, both individuals and organisations can benefit from adopting a multi-layered defence approach:

User Education and Awareness

Regular training on phishing recognition is crucial, especially emphasising the risks of opening unexpected attachments. Teaching users to verify the legitimacy of emails, even if they appear to be from trusted sources, can significantly reduce susceptibility.

Email Security Solutions

Deploy advanced email security solutions that offer real-time threat detection, including anti-phishing tools that analyse attachments for obfuscated scripts or suspicious links. Solutions that incorporate artificial intelligence can enhance detection accuracy.

Endpoint Protection

Implement endpoint protection solutions that focus on detecting fileless malware behaviours. Advanced endpoint detection and response (EDR) solutions can offer more robust defences against the kinds of in-memory execution techniques used by Strela Stealer.

Restrict Access to WebDAV Servers

Limiting access to WebDAV servers and enforcing strict authentication policies can mitigate risks associated with malicious file downloads. Preventing unnecessary PowerShell script execution can also reduce exposure to fileless malware.

Multi-Factor Authentication (MFA)

Enforce MFA for accessing email clients and systems containing sensitive information. MFA acts as an additional layer of security, making it more challenging for attackers to compromise accounts even if they obtain credentials.

Conclusion

The Hive0145 campaign is a prime example of how modern cybercriminals adapt their tactics to achieve higher success rates. Through thread hijacking and advanced credential-stealing malware like Strela Stealer, Hive0145 has managed to conduct highly targeted attacks across Europe. As this threat actor continues to evolve, it underscores the necessity for organisations to remain vigilant, invest in layered security solutions, and continuously educate their users. By staying informed of these advanced threats and implementing best practices, organisations can better defend against the persistent and evolving strategies used by threat actors such as Hive0145.