StrelaStealer steals logins from Outlook & Thunderbird users

April 3, 2024
1 min read

TLDR:

StrelaStealer malware targets Spanish-speaking users to steal email account credentials from Outlook and Thunderbird. It uses advanced obfuscation techniques and selective execution based on keyboard layouts. The malware encrypts stolen data and evades detection by antivirus products.

Full Article:

A sophisticated variant of StrelaStealer malware has been identified, targeting Spanish-speaking users with the primary aim of pilfering email account credentials from popular email clients Outlook and Thunderbird. This updated strain of StrelaStealer, first spotted in the wild in early November 2022, has been enhanced with advanced obfuscation and anti-analysis techniques, making it a formidable threat to cybersecurity.

The malware is ingeniously delivered via JavaScript embedded in archive files attached to emails. Once the unsuspecting user executes the JavaScript, it drops a 64-bit executable file into the %userprofile% folder and initiates the malware process. This executable acts as a loader for the payload, cleverly disguised to evade detection.

The technical analysis reveals that the malware employs a single-byte XOR encryption to decrypt an encoded Portable Executable (PE) file containing the malicious payload. The obfuscation techniques are particularly effective, involving jump blocks, multiple loops, and dummy functions designed to waste analysts’ time and delay execution.

One of the most intriguing aspects of StrelaStealer is its selective execution based on the keyboard layout. The malware checks the system’s keyboard layout against a list of hardcoded values corresponding to countries like Germany, Spain, Italy, and Poland. If the system’s layout matches any of these, the malware proceeds; otherwise, it terminates itself.

StrelaStealer’s primary function is to steal confidential data from infected machines, specifically targeting Mozilla Thunderbird and Outlook. It searches for specific files and registry keys containing user credentials. It encrypts the harvested data using a single-byte XOR encryption before exfiltrating it to an attacker-controlled server.

The malware goes to great lengths to avoid detection by antivirus products. It intentionally omits to copy the PE header to the injected PE and employs dynamic API resolution to obscure its activities further. This updated variant of StrelaStealer underscores the evolving threat landscape and the continuous need for vigilance among users and cybersecurity professionals.

The emergence of this updated StrelaStealer variant is a stark reminder of cyber threats’ persistent and evolving nature. Users are advised to exercise caution when opening email attachments, even from seemingly trustworthy sources, and to keep their antivirus software current. As the cyber threat landscape evolves, staying informed and vigilant is more crucial than ever.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and