StrelaStealer targets users to steal logins from Outlook and Thunderbird

Home/BOTNET, Exploitation, Internet Security, malicious cyber actors, Malware, Mobile Security, Security Advisory, Security Update/StrelaStealer targets users to steal logins from Outlook and Thunderbird

StrelaStealer targets users to steal logins from Outlook and Thunderbird

A sophisticated variant of StrelaStealer malware, tailored for Spanish-speaking users, is targeting popular email clients Outlook and Thunderbird to pilfer email account credentials.


First detected in early November 2022, this evolved version of StrelaStealer has been fortified with sophisticated obfuscation and anti-analysis methods, posing a significant cybersecurity threat.

The malware is cunningly distributed through JavaScript embedded in archive files attached to emails. Upon execution by the unsuspecting user, the JavaScript drops a 64-bit executable file into the %userprofile% folder, initiating the malware process.

This executable serves as a loader for the payload, meticulously disguised to evade detection.

The technical analysis unveils that the malware utilizes single-byte XOR encryption to decrypt an encoded Portable Executable (PE) file housing the malicious payload.

Its obfuscation techniques are notably potent, incorporating jump blocks, multiple loops, and dummy functions meticulously crafted to distract analysts and prolong execution time.

One intriguing aspect of StrelaStealer is its selective execution based on keyboard layout. The malware checks the system’s keyboard layout against a list of hardcoded values corresponding to countries like Germany, Spain, Italy, and Poland. If the layout matches any of these, the malware proceeds; otherwise, it terminates itself. Virus Bulletin recently tweeted about SonicWall’s Capture Labs threat research team analyzing an updated variant of StrelaStealer targeting Outlook and Thunderbird email client users.

Stealing Confidential Data

StrelaStealer’s main objective is to pilfer confidential data from compromised devices, with a specific focus on Mozilla Thunderbird and Outlook.

It actively seeks out specific files and registry keys containing user credentials. Subsequently, it encrypts the gathered data using a single-byte XOR encryption method before transferring it to a server controlled by the attacker.

Avoiding Detection

The malware takes extensive measures to avoid detection by antivirus products. It deliberately omits copying the PE header to the injected PE and employs dynamic API resolution to further obscure its activities.

This updated variant of StrelaStealer highlights the evolving threat landscape and the ongoing necessity for vigilance among users and cybersecurity professionals.

With its sophisticated evasion techniques and targeted approach, the malware poses a significant threat, especially to Spanish-speaking users.

As of now, the archive file containing StrelaStealer hasn’t been discovered on popular threat intelligence sharing platforms like VirusTotal. This indicates the malware’s relative obscurity and the potential for widespread damage if not adequately addressed.

The appearance of this new StrelaStealer variant serves as a clear reminder of the ongoing evolution of cyber threats.

Users are urged to exercise caution when opening email attachments, even from apparently reliable sources, and to ensure their antivirus software is up-to-date.

In an ever-evolving cyber threat landscape, staying informed and remaining vigilant is paramount.

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!