StrelaStealer: A Malware Hijacking Outlook and Thunderbird Emails

Researchers documented the working of a new malware – StrelaStealer, which aims to steal the login credentials of email accounts.

With several Spanish language references and its type of operation, it seems the malware is used in highly targeted attacks only. It’s said that StrelaStealer would come with LNK files that have exfiltrating malware running in the background while showing a decoy document on the web to the user.

StrelaStealer Working Mechanism

DCSO CyTec researchers detailed a new information-stealing malware called StrelaStealer, that’s stealing the credentials of Outlook and Thunderbird email accounts. This malware was first seen earlier this month, targeting Spanish-speaking users.

Threat actors of this new info-stealing malware start by sending email attachments to the targeted user, which contain ISO files with varying content. When clicked on it, the ISO files open up an executable (‘msinfo32.exe’) and sideload the bundled malware via DLL order hijacking.

Well, in some cases, the ISO contains an LNK file (‘Factura.lnk’) and an HTML file (‘x.html’), with HTML being a typical culprit. It’s noted a polyglot file which can show different results depending on the type of application that opens it.

For example, if you open the HTML file with a web browser, you’ll be shown a document of text. And if opened through an executable, it’ll install the concerned payload in it.

In this case, if the target clicks on the fractura.lnk file, it’ll execute the x.html twice, first using a rundll32.exe to open the embedded StrelaStealer DLL and the other to open the HTML file in the default web browser to show a decoy document.

As the target focus on checking the decoy document, the StrelaStealer runs in the background to perform its tasks – like searching the ‘%APPDATA%\Thunderbird\Profiles\’ directory for ‘logins.json’ and ‘key4.db’ to steal the account credentials.

In the case of Outlook, the malware reads the Windows Registry to steal the software’s key and then checks the ‘IMAP User’, ‘IMAP Server’, and ‘IMAP Password‘ values. When found, it’ll exfiltrate its contents to the hacker’s C2 server.

Though used in highly targeted attacks, it should be noted on how cleverly the malware actors are approaching their targets to get what they want.