Researchers documented the working of a new malware โ StrelaStealer, which aims to steal the login credentials of email accounts.
With several Spanish language references and its type of operation, it seems the malware is used in highly targeted attacks only. Itโs said that StrelaStealer would come with LNK files that have exfiltrating malware running in the background while showing a decoy document on the web to the user.
StrelaStealer Working Mechanism
DCSO CyTec researchers detailed a new information-stealing malware called StrelaStealer, thatโs stealing the credentials of Outlook and Thunderbird email accounts. This malware was first seen earlier this month, targeting Spanish-speaking users.
Threat actors of this new info-stealing malware start by sending email attachments to the targeted user, which contain ISO files with varying content. When clicked on it, the ISO files open up an executable (โmsinfo32.exeโ) and sideload the bundled malware via DLL order hijacking.
Well, in some cases, the ISO contains an LNK file (โFactura.lnkโ) and an HTML file (โx.htmlโ), with HTML being a typical culprit. Itโs noted a polyglot file which can show different results depending on the type of application that opens it.
For example, if you open the HTML file with a web browser, youโll be shown a document of text. And if opened through an executable, itโll install the concerned payload in it.
In this case, if the target clicks on the fractura.lnk file, itโll execute the x.html twice, first using a rundll32.exe to open the embedded StrelaStealer DLL and the other to open the HTML file in the default web browser to show a decoy document.
As the target focus on checking the decoy document, the StrelaStealer runs in the background to perform its tasks โ like searching the โ%APPDATA%\Thunderbird\Profiles\โ directory for โlogins.jsonโ and โkey4.dbโ to steal the account credentials.
In the case of Outlook, the malware reads the Windows Registry to steal the softwareโs key and then checks the โIMAP Userโ, โIMAP Serverโ, and โIMAP Passwordโ values. When found, itโll exfiltrate its contents to the hackerโs C2 server.
Though used in highly targeted attacks, it should be noted on how cleverly the malware actors are approaching their targets to get what they want.