What is StrelaStealer Malware? How Does StrelaStealer Malware Work?

Malware attacks are one of the most common forms of cyber-attacks, Malwares in short is a malicious program which is designed to create damage to your computer or network. Malware comes in different features and sizes. Attackers can modify it based on their requirement. In this article we are specifically talking about a Outlook Credential Stealer Malware, StrelaStealer Malware. Let’s see What is StrelaStealer Malware and how does StrelaStealer Malware work.

What is a Credential Stealer Malware?

There are different verities of malware existing around us. Malwares which harvest credentials from legitimate users and use it for malicious purpose like gathering sensitive and critical information, these are identified as the credential stealer malware. Most credential theft attacks are due to weak passwords like short passwords, pattern passwords, keywords etc.

There are primarily three type of credential stealer malware.

What is StrelaStealer Malware?

The StrelaStealer malware is first observed in early November 2022 by DCSO CyTec Blog, it was observed as a part of malspam which targeted mainly the Spanish audience. This malware spread via an ISO attachment which targets on collecting credentials from outlook and Thunderbird (popular email platforms).

How Does StrelaStealer Malware Work?

Now let’s look into how does StrelaStealer malware work.

Execution of StrelaStealer via polyglot (Credits: DCSO CyTec Blog)

Malware Analysis:

On further inspection of the ‘x.html’ file we observe that the html code is simply appended to the DLL file hence, the StrelaStealer malware files are DLL files whose code is not obfuscated but a cyclic xor with a hardcoded key is used to encrypt the strings.

The executed malware will then steal the login data of outlook and thunderbird.

Outlook:

The registry key,

‘HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\’  is used for enumeration.

This will give the values ‘IMAP User’, ‘IMAP Server’ and ‘IMAP Password’. Strelastealer uses ‘CryptUnprotectData’ to decrypt ‘IMAP password’ and share it via C2.

Thunderbird:

The strelastealer searches the ‘%APPDATA%\Thunderbird\Profiles\’ directory for ‘logins.json’ and ‘key4.db’ and shared it via C2

The communication to command and control is via plain HTTP POSTs, The XOR used in the strings will be used here also to encrypt the payload. From all the samples observed the servers and C2 is all hardcoded.

The format used to share the payload via C2 for outlook is

[prefix"OL"] 
[Server1,User1,Password1] 
[Server2,User2,Password2] 
...

Thunderbird:

[prefix "FF"] 
[DWORDsize logins.json] 
[contents of logins.json] 
[contents of key4.db]

The attackers use a method to check if the transfer of data is successful or not by checking the last two bytes of the response to be ‘kh’, if not the strelastealer will try again sending the data after a gap of 1 sec.

IOC

Pdb path:

C2 server:

ITW URL:

MITRE ATT&CK

Attack Vectors

Tips to Protect Your Assets From StrelaStealer Malware

It is a human nature to forget things, especially when it comes to passwords hence for the ease of use many of us will tend to use the same password repeatedly. If a credential stealer malware harvests your credential to have a minimum damage, repetition of passwords must be avoided.

We must always verify multiple times before entering sensitive information over internet. I hope this article helped in understanding what is StrelaStealer malware and how does StrelaStealer malware work. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: