Outlook and Thunderbird account credentials are being stolen by the novel StrelaStealer info-stealing malware, BleepingComputer reports.
StrelaStealer, which was discovered to be targeted at Spanish-speaking users early this month, has been distributed through emails with ISO file attachments, a report from DCSO CyTec showed. One instance involved an ISO file having an executable enabling malware sideloading through DLL order hijacking, but another ISO file was found to have an LNK file and a polyglot HTML file, which could either load the malware or a decoy document. Execution of StrelaStealer prompts a search of the "logins.json" file with accounts and passwords, and the "key4.db" password database within Thunderbird, which are then exfiltrated to the attackers' command-and-control server.
Meanwhile, Windows Registry is being read by StrelaStealer to enable software key retrieval in Outlook, which is then used for locating the "IMAP User," "IMAP Password," and "IMAP Server" values, with IMAP Password being decrypted prior to C2 exfiltration.
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.