StrelaStealer is an undocumented custom malware analyzed by DCSO CyTec that aims to steal mail credentials from Thunderbird and Outlook. It spreads via ISO-delivered lures using polyglot DLL/HTML techniques, encrypts data with a XOR key, and communicates with a hardcoded C2 server. #StrelaStealer #StrelaStealerPolyglot #Thunderbird #Outlook #KanzasLLC
Keypoints
- StrelaStealer is a custom malware focused on stealing mail login data.
- First observed in November 2022, distributed via ISO files with lure documents suggesting Spanish targets.
- Delivery uses polyglot content (DLL/HTML) and ISO-included LNK, with x.html executed as both a DLL and an HTML file.
- For Thunderbird, it locates logins.json and key4.db under Thunderbird profiles and exfiltrates contents to its C2.
- For Outlook, it reads IMAP credentials from the registry, decrypts the IMAP password with CryptUnprotectData, and sends them to C2.
- Communication is plain HTTP POSTs to a hardcoded C2 URL, with payload XOR-encrypted; C2 hosted on Russian bulletproof hosting (Kanzas LLC).
- IoCs include SHA-256 hashes, PDB paths, C2 server IP/URL, and ITW URL; MITRE mappings cover credential dumping and exfiltration via C2.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Distribution via ISO files with lure documents; “distributed via ISO files with what appears to be Spanish targets based on used lure documents.”
- [T1574.002] DLL Side-Loading – The LNK file then executes x.html twice, once as a DLL and a second time as an HTML file; “StrelaStealer uses a file that is both valid as a DLL as well as an HTML page.”
- [T1003] Credential Dumping – For Outlook, enumerates registry keys to find IMAP credentials and decrypts the IMAP Password with CryptUnprotectData; “decrypts the IMAP Password using CryptUnprotectData before sending the triple to its C2.”
- [T1041] Exfiltration Over C2 Channel – Communication via C2 using HTTP POSTs and XOR-encrypted payload; “Communication is done using plain HTTP POSTs, with the payload encrypted using the same xor key as for the strings.”
- [T1071] Standard Application Layer Protocol – Uses HTTP-based communication to exfiltrate data; “C2 server and resource name are hardcoded…”
- [T1059.003] Windows Command Shell – The article notes the main functionality is triggered by a named export; “the main functionality triggered by calling its main export function named Strela or s.”
Indicators of Compromise
- [SHA256] IoCs – fa1295c746e268a3520485e94d1cecc77e98655a6f85d42879a3aeb401e5cf15, c8eb6efc2cd0bd10d9fdd4f644ebbebdebaff376ece9e48ff502f973fe837820, and 8 more hashes
- [PDB Path] – C:UsersadminsourcereposDll1ReleaseDll1.pdb, C:UsersSerhiiDocumentsVisual Studio 2008ProjectsStrelaDLLCompileReleaseStrelaDLLCompile.pdb
- [C2 Server] – 193.106.191[.]166, hxxp://193.106.191[.]166/server.php
- [ITW URL] – hxxp://45.142.212[.]20/dll.dll