Previously unknown StrelaStealer malware hunts for mail login data from popular email clients such as Outlook and Thunderbird.
The purpose-built malware researchers discovered in November 2022 targets explicitly mail login data, analysts from DCSO CyTec claim. Dubbed StrelaStealer, referencing Strela surface-to-air missile launcher, the malware might be a part of a larger targeted attack.
“DCSO CyTec first discovered StrelaStealer in early November 2022 distributed via ISO files with what appears to be Spanish targets based on used lure documents. It is unclear at this point in time if StrelaStealer is part of a targeted attack,” researchers said in a blog post.
The newly detected malware operates as an infostealer. Threat actors often employ infostealers like Racoon Stealer to steal credit card data, crypto wallet credentials, browsing data, and other sensitive information. Usually, malware operators have a financial motive.
According to the researchers, StrelaStealer spreads via ISO files with various content, such as executable and polyglot files. The latter is valid as two or more different files determined on the app that opens them. StrelaStealer uses a file that is both a DLL and HTML page.
“Once executed, StrelaStealer attempts to locate and steal mail login data from Thunderbird and Outlook,” researchers noted.
For Thunderbird, the malware searchers apps’ profiles directory and sends gathered data to a command and control (C2) server. In case of an Outlook-directed attack, StrelaStealer scans through mail clients’ profiles location on the device, looking for login and password details that are immediately sent to the C2 server upon discovery.