Introduction
The cybercriminal group Hive0145 has been actively targeting European countries, particularly Spain [2], Germany [1] [2], Ukraine [1] [2], and Italy, by deploying the Strela Stealer malware through sophisticated phishing campaigns. These operations pose a significant threat to business email security across the region.
Description
Cybercriminal group Hive0145 has been actively conducting a series of campaigns across Europe [1], particularly targeting Spain [2], Germany [1] [2], Ukraine [1] [2], and Italy, by delivering the Strela Stealer malware [1] [2]. This group employs sophisticated phishing emails that appear as legitimate invoice notifications [2], crafted using stolen email credentials [2]. The phishing attempts often include weaponized attachments disguised as invoices [2], which [2], when opened, execute the Strela Stealer malware [1] [2]. This malware is specifically designed to extract user credentials from email clients such as Microsoft Outlook and Mozilla Thunderbird, posing a significant risk of Business Email Compromise (BEC) [2].
Since mid-April 2023 [2], Hive0145 has ramped up its activities, evolving its tactics over the past 18 months to enhance the effectiveness of its operations [2]. By July 2024 [2], the group began leveraging actual stolen emails from various industries [2], including finance and technology [2], to create more convincing phishing attempts [2]. This shift indicates a maturation in their cyber operations [2], moving from generic messages to more sophisticated and targeted communications [2].
The group has demonstrated a preference for targeting users in regions where Italian, Spanish [1] [2], German [1] [2], and Ukrainian are spoken, with campaigns noted to have increased in volume and frequency, particularly in October and November 2024 [2]. The technique of attachment hijacking has also been observed, where legitimate emails are modified to include malicious payloads [2], thereby increasing the likelihood of victim engagement [2].
Overall, Hive0145’s operations reflect a sophisticated approach to cybercrime [2], focusing on the extraction of email credentials and the potential for further exploitation through Business Email Compromise [2]. Organizations in Europe [1] [2], especially those in the targeted regions [2], are advised to exercise heightened vigilance regarding email attachments and to scrutinize the legitimacy of unexpected communications to counter this evolving cyber threat.
Conclusion
Hive0145’s activities underscore the growing sophistication of cyber threats targeting business email systems. The group’s use of stolen emails and attachment hijacking techniques highlights the need for organizations to implement robust email security measures. As these threats continue to evolve, businesses must remain vigilant and proactive in their cybersecurity strategies to mitigate potential risks and protect sensitive information.
References
[1] https://www.infosecurity-magazine.com/news/hive0145-targets-eu-strela-stealer/
[2] https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/
