HQ/EMEAFind out how we can help your business
The Outlook and Thunderbird email clients are under fire as a new infostealing malware called StrelaStealer is looking to steal user credentials. The behaviour of this newly discovered infostealer is similar to other malware strains, which attempt to steal data from various sources, such as crypto wallet apps, cloud gaming platforms, clipboards, and browsers.
Email attachments are the transmitter of this newly found StrelaStealer infostealer.
The StrelaStealer malware arrives on a targeted system through an email attachment. Its operators use ISO files with contents that vary depending on the target.
Based on reports, the ISP includes an LNK and an HTML file coded as x[.]html. The x[.]html file is of particular interest since it is a multilingual archive, which is a file that can be identified as different formats depending on the application that accesses it.
In this instance, the x[.]html is both a DLL program and an HTML file that could load the StrelaStealer malware or portray a diversion-type document in the default web browser of a targeted device.
If the actors operate the Fractura[.]lnk file, it will run x[.]html twice. The first one will use the rundll32[.]exe to operate the embedded StrelaStealer DLL, and the other as HTML to load the decoy file in the browser.
Once the infostealer is downloaded in memory, the default browser will open to show the decoy making the cybercriminal activity less suspicious.
For MS Outlook users, the StrelaStealer reads the Windows Registry to get the software’s key and locates the IMAP Server, IMAP User, and IMAP Password values. However, the IMAP Password has a user password, which is in encrypted status. Hence, the malware utilises the Windows CryptUnprotectData feature to decrypt the protected password before the actors exfiltrate it to its command-and-control server with the server and user data.
Lastly, the malware will review the C2 server it has already received the data. StrelaStealer could validate it by checking for a particular response from the server and quitting it after confirmation. Otherwise, the infostealer will enter a quick sleep mode and take another run of the data-theft routine.
Experts revealed that the malware spreads using Spanish-based lures and focuses on specific software. Therefore, the attacks may target Spanish-speaking countries.
