Table of Contents
November 17, 2022
|5m
What is StrelaStealer Malware? How Does StrelaStealer Malware Work?
Malware attacks are one of the most common forms of cyber-attacks, Malwares in short is a malicious program which is designed to create damage to your computer or network. Malware comes in different features and sizes. Attackers can modify it based on their requirement. In this article we are specifically talking about a Outlook Credential Stealer Malware, StrelaStealer Malware. Let’s see What is StrelaStealer Malware and how does StrelaStealer Malware work.
What is a Credential Stealer Malware?
There are different verities of malware existing around us. Malwares which harvest credentials from legitimate users and use it for malicious purpose like gathering sensitive and critical information, these are identified as the credential stealer malware. Most credential theft attacks are due to weak passwords like short passwords, pattern passwords, keywords etc.
There are primarily three type of credential stealer malware.
Malware that logs keystrokes
Malware that dumps data from windows such as password hashes etc. which can be used later.
Malware which waits for user to enter credentials.
What is StrelaStealer Malware?
The StrelaStealer malware is first observed in early November 2022 by DCSO CyTec Blog, it was observed as a part of malspam which targeted mainly the Spanish audience. This malware spread via an ISO attachment which targets on collecting credentials from outlook and Thunderbird (popular email platforms).
How Does StrelaStealer Malware Work?
Now let’s look into how does StrelaStealer malware work.
Execution of StrelaStealer via polyglot (Credits: DCSO CyTec Blog)
The initial intrusion is via an ISO file that masquerades itself as a legitimate file (msinfo32.exe) which will be delivered via an email attachment.
The ISO file contains two files one HTML (x.html) and LNK file (Factura.lnk).
The HTML file is actually a polyglot file (a polyglot file is a file which can have two or more different valid file formats)
The LNK file executes the polyglot ‘x.html’ initially as a DLL and then as HTML file.
The file performs targets the Software Licensing Client DLL (slc.dll) and performs dynamic link library (DLL)-sideloading, then the malware is executed.
Malware Analysis:
On further inspection of the ‘x.html’ file we observe that the html code is simply appended to the DLL file hence, the StrelaStealer malware files are DLL files whose code is not obfuscated but a cyclic xor with a hardcoded key is used to encrypt the strings.
The executed malware will then steal the login data of outlook and thunderbird.
Outlook:
The registry key,
‘HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\’ is used for enumeration.
This will give the values ‘IMAP User’, ‘IMAP Server’ and ‘IMAP Password’. Strelastealer uses ‘CryptUnprotectData’ to decrypt ‘IMAP password’ and share it via C2.
Thunderbird:
The strelastealer searches the ‘%APPDATA%\Thunderbird\Profiles\’ directory for ‘logins.json’ and ‘key4.db’ and shared it via C2
The communication to command and control is via plain HTTP POSTs, The XOR used in the strings will be used here also to encrypt the payload. From all the samples observed the servers and C2 is all hardcoded.
The format used to share the payload via C2 for outlook is
[prefix"OL"]
[Server1,User1,Password1]
[Server2,User2,Password2]
...Thunderbird:
[prefix "FF"]
[DWORDsize logins.json]
[contents of logins.json]
[contents of key4.db]The attackers use a method to check if the transfer of data is successful or not by checking the last two bytes of the response to be ‘kh’, if not the strelastealer will try again sending the data after a gap of 1 sec.
fa1295c746e268a3520485e94d1cecc77e98655a6f85d42879a3aeb401e5cf15
c8eb6efc2cd0bd10d9fdd4f644ebbebdebaff376ece9e48ff502f973fe837820
8b0d8651e035fcc91c39b3260c871342d1652c97b37c86f07a561828b652e907
879ddb21573c5941f60f43921451e420842f1b0ff5d8eccabe11d95c7b9b281e
b7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337
d8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28
ac040049e0ddbcb529fb2573b6eced3cfaa6cd6061ce2e7a442f0ad67265e800
bfc30cb876b45bc7c5e7686a41a155d791cd13309885cb6f9c05e001eca1d28a
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
c69bac4620dcf94acdee3b5e5bcd73b88142de285eea59500261536c1513ab86
be9f84b19f02f16b7d8a9148a68ad8728cc169668f2c59f918d019bce400d90e
1437a2815fdb82c7e590c1e6f4b490a7cdc7ec81a6cb014cd3ff712304e4c9a3
9375cff0413111d3b88a00104b2a6676
b7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
d8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28
Pdb path:
C:\Users\admin\source\repos\Dll1\Release\Dll1.pdb
“C:\Users\Serhii\Documents\Visual Studio 2008\Projects\StrelaDLLCompile\Release\StrelaDLLCompile.pdb”
C2 server:
193.106.191[.]166
hxxp://193.106.191[.]166/server.php
ITW URL:
hxxp://45.142.212[.]20/dll.dll
MITRE ATT&CK
T1003 – Credential Dumping
T1041 – Exfiltration Over C2 Channel
T1041 – Exfiltration Over Command and Control Channel
T1059.003 – Windows Command Shell
T1071 – Standard Application Layer Protocol
T1566.001 – Spearphishing Attachment
T1574.002 – DLL Side-Loading
Phishing
Obfuscation
Credential Stealing
Attack Vectors
Phishing
Obfuscation
Credential Stealing
Tips to Protect Your Assets From StrelaStealer Malware
A strong password policy should be set in place, repetition of keyboard patterns, names etc. should be avoided.
Multifactor authentication should be enabled or any other strong authentication mechanism should be used.
Patch management in organizations must be in place
Secure password recovery mechanism should be in place
Proper awareness must be given to all staff
Avoid using same passwords for multiple platforms
It is a human nature to forget things, especially when it comes to passwords hence for the ease of use many of us will tend to use the same password repeatedly. If a credential stealer malware harvests your credential to have a minimum damage, repetition of passwords must be avoided.
We must always verify multiple times before entering sensitive information over internet. I hope this article helped in understanding what is StrelaStealer malware and how does StrelaStealer malware work. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
