A new data-stealing malware called “StrelaStealer” is aggressively taking email login details in Thunderbird and Outlook, two popular email clients. Most data thieves seek to steal information from various data sources, including browsers, cryptocurrency wallet applications, cloud gaming apps, clipboards, etc. This behavior differs from that of most data stealers.
Analysts found this previously unknown malware at DCSO CyTec, claiming to have first encountered it in the wild, targeting Spanish-speaking users in early November 2022. Email attachments, which are presently ISO files with varied contents, are how StrelaStealer gets into the victim’s computer. In one instance, the ISO includes a program called “msinfo32.exe” that uses DLL order hijacking to sideload the bundled malware.
Analysts noticed a more intriguing situation where the ISO included both an HTML file (x.html) and an LNK file (‘Factura.lnk’). The x.html file is particularly interesting since it is a multilingual file, which means that depending on the program that opens it, it can be regarded as a variety of file formats. In this instance, x.html is a DLL program that may run the StrelaStealer virus or show a bogus document in the default web browser in addition to being an HTML file.
When the Fractura.lnk file is loaded, it will run x.html twice, once as HTML to load the fake content in the browser and once as rundll32.exe to run the embedded StrelaStealer DLL. The default browser is launched once the malware has been loaded into memory to display the decoy and make the attack less obvious.
Upon execution, StrelaStealer looks for “logins.json” (account and password) and “key4.db” (password database) in the “%APPDATA%\Thunderbird\Profiles\” directory and exfiltrates its contents to the C2 server. For Outlook, StrelaStealer locates the “IMAP User,” “IMAP Server,” and “IMAP Password” values by reading the Windows Registry to obtain the software’s key. The user password is encrypted in the IMAP Password, so the malware employs the Windows CryptUnprotectData function to decode it before sending it, along with the server and user information, to the C2.
Finally, StrelaStealer checks for a particular answer to confirm that the C2 got the data and terminates when it does. Otherwise, it restarts this data-theft procedure after a one-second sleep period. Given that the virus targets a narrow range of software and is disseminated through Spanish-language lures, highly focused attacks may make use of it. DCSO CyTec was unable to learn more about its spread, though.