A new infostealer dubbed ‘StrelaStealer’ is aggressively stealing account credentials from Outlook and Thunderbird, two commonly used email clients.

StrelaStealer’s behaviour differs from most infostealers, which seek to steal data from various sources like browsers, cloud gaming apps and cryptocurrency wallets.

Analysts at DCSO CyTec identified the previously unknown malware variant. StrelaStealer targets Spanish-speaking users and was first seen in the wild earlier this month. StrelaStealer infiltrates victims’ systems using email attachments, which are typically ISO files.

A tricky bundle

In one case, the ISO contained a program (msinfo32.exe) that uses DLL hijacking to sideload the malware packaged inside. In another scenario, the ISO includes an LNK file (Factura.lnk) and an HTML file (x.html). The x.html file is particularly interesting as it’s a polyglot, meaning it can be treated as several file types depending on the program that opens it.

In the scenario analysed by DCSO CyTec, x.html is both an HTML file and a DLL program capable of launching the StrelaStealer virus and displaying phoney documents in default web browsers.

When executed, the Fractura.Ink file performs two x.html actions. The first uses rundll32.exe to run an embedded StrelaStealer DLL to load the decoy document in the browser. When the malware is loaded in memory, the default browser opens to show the decoy and eliminate user suspicion.

How StrelaStealer operates

When attacking Thunderbird, StrelaStealer scans the ‘%APPDATA%ThunderbirdProfiles’ directory for ‘key4.db’ (password database) and ‘logins.json’ (credentials. The details are sent to a command and control server upon activation. When attacking Outlook, StrelaStealer examines the Windows Registry to extract the software’s key before locating the ‘IMAP User’, ‘IMAP Server’, and ‘IMAP Password’ settings for Outlook.

The IMAP Password includes the user password in encrypted form; therefore, the virus decrypts it before sending it to the command and control server. Lastly, StrelaStealer confirms that the command and control server receives data by looking for a specific signal. When the signal is found, the server retrieves the data and disappears from the radar. When the signal isn’t found, StrelaStealer goes into a 1-second slumber and repeats the process.

Tip: Diary of a ransomware attack: attack, recovery, best practices