Outlook, Thunderbird accounts targeted by novel StrelaStealer malware

Outlook and Thunderbird account credentials are being stolen by the novel StrelaStealer info-stealing malware, BleepingComputer reports. StrelaStealer, which was discovered to be targeted at Spanish-speaking users early this month, has been distributed through emails with ISO file attachments, a report from DCSO CyTec showed. One instance involved an ISO file having an executable enabling malware sideloading through DLL order hijacking, but another ISO file was found to have an LNK file and a polyglot HTML file, which could either load the malware or a decoy document. Execution of StrelaStealer prompts a search of the "logins.json" file with accounts and passwords, and the "key4.db" password database within Thunderbird, which are then exfiltrated to the attackers' command-and-control server. Meanwhile, Windows Registry is being read by StrelaStealer to enable software key retrieval in Outlook, which is then used for locating the "IMAP User," "IMAP Password," and "IMAP Server" values, with IMAP Password being decrypted prior to C2 exfiltration.