A new malware, dubbed StrelaStealer, has been found actively stealing email account credentials from popular client apps Microsoft Outlook and Mozilla Thunderbird. While most info-stealer malware targets browsers, cryptocurrency wallet apps, and the clipboard, this one appears to be unique in solely targeting email account credentials.
StrelaStealer is currently delivered via phishing emails that contain malicious attachments, generally ISO files with varying content. One unique case discovered used an ISO file containing an LNK file and an HTML file. This HTML file was what is known as a polyglot file, or a file that can be treated differently depending on the application that opens it. In this case, the HTML file was both an HTML file and a DLL program. Upon execution of the LNK file, rundll32.exe is executed with the HTML file as the target. This execution runs the main StrelaStealer payload on the system. The LNK file also opens the HTML file in a web browser in an attempt to trick the user into thinking there was nothing suspicious about the activity. Once the StrelaStealer DLL is executed, it searches for the primary Thunderbird directory and collects the logins.json and key4.db files that contain the information required to decrypt and collect any stored passwords. It also reads the Windows Registry to retrieve the encrypted credential information stored by Outlook and then uses the Windows CryptUnprotectData function to decrypt the information. Once both of these activities have been performed, the malware exfiltrates the data back to its C2 server. The malware then verifies that the C2 received the data by waiting for a specific response before quitting. If the response is not received, the malware sleeps and then attempts the credential theft again.
StrelaStealer is believed to currently be targeting Spanish-speaking users, due to the use of Spanish-language lures and its focus on specific software.