Friday, November 11, 2022
HomeHackerStrelaStealer Malware Hijacking Outlook and Thunderbird Accounts

StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts


The cyber safety researchers at DCSO CyTec have found a brand-new information-stealing malware concentrating on Outlook and Thunderbird emails.

Dubbed StrelaStealer, the malware acts similar to every other information stealer and tries to steal knowledge from browsers, cloud gaming apps, cryptocurrency pockets apps, the clipboard, and different sources. Nevertheless, what’s distinctive about this marketing campaign is that the malware steals knowledge from Thunderbird and Outlook accounts and targets Spanish-speaking folks.

Assault Chain Evaluation

The malware was detected earlier this month. The assault chain includes sending e mail attachments to the focused person. These attachments include ISO information. When a person clicks on the file, it opens an executable (msinfo32.exe). It then sideloads the bundled malware by DLL order hijacking.

StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts
The malicious e mail used within the marketing campaign

In some instances, the ISO accommodates a .lnk file (Factura.Ink) and an HTML doc that’s a polyglot file (x.html). Resembling, once you open an HTML file on an online browser, you will note a textual content doc, and when it’s opened through an executable, it installs the payload.

  1. VirusTotal Reveals Apps Most Exploited to Unfold Malware
  2. Urlscan.io API Inadvertently Leaked Delicate Information and URLs
  3. Microsoft Workplace Most Exploited Software program in Malware Assaults
  4. Apple Safari Most secure, Google Chrome Riskiest Browser of 2022
  5. High 10 Android Instructional Apps That Accumulate Most Person Information

How does the Assault Works?

In response to DCSO CyTec’s weblog submit, when the person clicks on the .lnk file, it executes the x.html twice. First, it executes it utilizing rundll32.exe and opens the embedded StrelaStealer DLL. Then it opens the HTML file within the system’s default browser to disclose a decoy doc.

Whereas the person is busy checking this doc, the data stealer begins its malicious duties within the background. Resembling, it searches for login.json and key4.db in %APPDATApercentThunderbirdProfiles listing for stealing account credentials.

In Outlook’s case, the malware accesses the Home windows Registry and steals the software program’s key, after which it inspects the IMAP Person, IMAP Password, and IMAP Server values. If discovered, the malware exfiltrates the content material to a C2 server managed by the attacker.

Then it waits for the attacker’s response. If acquired, the malware quits. If not, it repeats the routine after a 1-second sleep session.

In conclusion, e mail attachments might be an effective way to share info and information with others, however they can be a supply of malware. By following some easy tips, you may shield your self from malicious e mail attachments.

First, by no means open an attachment from somebody you don’t know. Should you’re not anticipating an attachment from the sender, be cautious of opening it. Second, at all times scan attachments for viruses earlier than opening them. Many e mail applications will do that routinely, but when yours doesn’t, there are numerous free virus scanners obtainable on-line.

Lastly, be sure you have an up to date safety answer put in in your system. One may use VirusTotal to scan malicious information and URLs.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments