Malware, Identity, Email security

Outlook, Thunderbird accounts targeted by novel StrelaStealer malware

Outlook and Thunderbird account credentials are being stolen by the novel StrelaStealer info-stealing malware, BleepingComputer reports. StrelaStealer, which was discovered to be targeted at Spanish-speaking users early this month, has been distributed through emails with ISO file attachments, a report from DCSO CyTec showed. One instance involved an ISO file having an executable enabling malware sideloading through DLL order hijacking, but another ISO file was found to have an LNK file and a polyglot HTML file, which could either load the malware or a decoy document. Execution of StrelaStealer prompts a search of the "logins.json" file with accounts and passwords, and the "key4.db" password database within Thunderbird, which are then exfiltrated to the attackers' command-and-control server. Meanwhile, Windows Registry is being read by StrelaStealer to enable software key retrieval in Outlook, which is then used for locating the "IMAP User," "IMAP Password," and "IMAP Server" values, with IMAP Password being decrypted prior to C2 exfiltration.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.