Threat Watch

New StrelaStealer Malware Steals Your Outlook, Thunderbird Accounts

A new malware, dubbed StrelaStealer, has been found actively stealing email account credentials from popular client apps Microsoft Outlook and Mozilla Thunderbird. While most info-stealer malware targets browsers, cryptocurrency wallet apps, and the clipboard, this one appears to be unique in solely targeting email account credentials.

StrelaStealer is currently delivered via phishing emails that contain malicious attachments, generally ISO files with varying content. One unique case discovered used an ISO file containing an LNK file and an HTML file. This HTML file was what is known as a polyglot file, or a file that can be treated differently depending on the application that opens it. In this case, the HTML file was both an HTML file and a DLL program. Upon execution of the LNK file, rundll32.exe is executed with the HTML file as the target. This execution runs the main StrelaStealer payload on the system. The LNK file also opens the HTML file in a web browser in an attempt to trick the user into thinking there was nothing suspicious about the activity. Once the StrelaStealer DLL is executed, it searches for the primary Thunderbird directory and collects the logins.json and key4.db files that contain the information required to decrypt and collect any stored passwords. It also reads the Windows Registry to retrieve the encrypted credential information stored by Outlook and then uses the Windows CryptUnprotectData function to decrypt the information. Once both of these activities have been performed, the malware exfiltrates the data back to its C2 server. The malware then verifies that the C2 received the data by waiting for a specific response before quitting. If the response is not received, the malware sleeps and then attempts the credential theft again.

StrelaStealer is believed to currently be targeting Spanish-speaking users, due to the use of Spanish-language lures and its focus on specific software.


It is highly recommended to implement and maintain good email security controls, such as AV scanning and sandboxing, to help prevent phishing emails from being delivered to end users. Since the vast majority of malware is delivered via phishing emails, this step alone can help prevent a large number of malware campaigns from being unsuccessful in infecting an organization. It is also recommended to implement a blocklist of potentially suspicious email attachment file types, such as ISO, from any emails originating from outside the organization. This can also help prevent phishing emails from being delivered to end users or, at the very least, remove the malicious attachments from them. It is also recommended to implement and maintain good endpoint security controls, such as EDR, on all systems within an organization. While it can be difficult to prevent or detect information-stealing malware from performing their limited functions, there are other behaviors that are exhibited by the infection process that would be considered suspicious. An LNK file being executed from an ISO or mounted drive, a cmd.exe process executing rundll32.exe with an abnormal DLL file extension, and a rundll32.exe process making outbound network connections to suspicious IP addresses are all behaviors that can be detected and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.