Researchers have discovered a new malicious campaign going after user’s email (opens in new tab) login credentials.
Cybersecurity experts from DSCO CyTec found an infostealer dubbed “StrelaStealer” being actively used to steal login credentials from Spanish-speaking Outlook and Thunderbird email client users.
The campaign has only just been observed for the first time, suggesting it might be relatively new, and as such, possibly more dangerous until experts unravel its inner workings.
The attacks start much the same as other campaigns – with a phishing email.
So far, the researchers discovered two different email campaigns, one distributing an ISO with a “msinfo32.exe” executable file, which sideloads the bundled malware via DLL order hijacking. The second one, arguably more interesting, shares two files in the ISO – a Factura.lnk shortcut file, and an x.html browser document.
The latter was subsequently found to be a polyglot file – a file that can be treated as different formats, depending on the app that opens it.
So when the victim runs the shortcut file, it will run the HTML file twice – once as a DLL that loads the StrelaStealer, and once as an HTML file, which opens a decoy document in the browser. That way, the victim doesn’t suspect that a malicious file was loaded in the background.
Unlike most infostealers, which strive to grab as much intel as they can from the target endpoint, StrelaStealer is a unique beast, as it only goes after email login credentials.
For Thunderbird users, the malware will search the %APPDATA%\Thunderbird\Profiles\’ directory for ‘logins.json’ and ‘key4.db’. Should it find them, it exfiltrates them to the C2 server. For Outlook users, the malware will read the Windows Registry to find the software’s key, and then locate the IMAP User, IMAP Server, and IMAP Password values to exfiltrate.
So far, the malware has only targeted the Spanish-speaking community, prompting the media to speculate that it’s being used in highly targeted attacks.
Via: BleepingComputer (opens in new tab)