Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft

The cybersecurity landscape has recently been impacted by the emergence of the Strela Stealer malware, a sophisticated infostealer designed to target specific email clients, notably Microsoft Outlook and Mozilla Thunderbird.

This malware has been active since late 2022 and has been primarily used in large-scale phishing campaigns targeting users in several European countries, including Spain, Italy, Germany, and Ukraine.

The campaigns have evolved to include sending legitimate-looking emails with invoices, but instead of the actual invoice, they contain a ZIP archive with the Strela Stealer malware loader.

Technical Analysis and Delivery Mechanism

Strela Stealer is delivered through crafted phishing emails that encourage recipients to open a ZIP file, which contains a JScript file.

Once executed, this script connects to a command-and-control (C2) server to download and execute a DLL file using the regsvr32 utility.

The malware employs advanced obfuscation techniques, including multi-layer obfuscation and control-flow flattening, making it challenging to analyze.

According to Trustwave Report, the DLL is packed with unnecessary arithmetic operations and lacks static imports, further complicating detection.

Operation and Exfiltration

After successful execution, Strela Stealer verifies the system’s locale to ensure it matches targeted regions.

If confirmed, it proceeds to steal email credentials from Microsoft Outlook and Mozilla Thunderbird.

For Outlook, it retrieves and decrypts IMAP user, server, and password details from the registry.

The stolen data is exfiltrated via HTTP POST requests to a C2 server hosted within a Russian bulletproof hosting network.

Additionally, the malware gathers system information and lists installed applications, which are also sent to the C2 server.

The Strela Stealer’s infrastructure is linked to the Proton66 OOO autonomous system, a network known for hosting various malware operations.

The threat actor behind Strela Stealer, dubbed ‘Hive0145’, has developed sophisticated social engineering tactics and technical evasion methods to maintain the malware’s effectiveness.

As cybersecurity threats continue to evolve, understanding and mitigating such targeted attacks remains crucial for protecting sensitive user data.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!