Skip to main content

Malware attacks are one of the most common forms of cyber-attacks, Malwares in short is a malicious program which is designed to create damage to your computer or network. Malware comes in different features and sizes. Attackers can modify it based on their requirement. In this article we are specifically talking about a Outlook Credential Stealer Malware, StrelaStealer Malware. Let’s see What is StrelaStealer Malware and how does StrelaStealer Malware work.

What is a Credential Stealer Malware?

There are different verities of malware existing around us. Malwares which harvest credentials from legitimate users and use it for malicious purpose like gathering sensitive and critical information, these are identified as the credential stealer malware. Most credential theft attacks are due to weak passwords like short passwords, pattern passwords, keywords etc.

There are primarily three type of credential stealer malware.

  • Malware that logs keystrokes
  • Malware that dumps data from windows such as password hashes etc. which can be used later.
  • Malware which waits for user to enter credentials.

What is StrelaStealer Malware?

The StrelaStealer malware is first observed in early November 2022 by DCSO CyTec Blog, it was observed as a part of malspam which targeted mainly the Spanish audience. This malware spread via an ISO attachment which targets on collecting credentials from outlook and Thunderbird (popular email platforms).

How Does StrelaStealer Malware Work?

Now let’s look into how does StrelaStealer malware work.

Execution of StrelaStealer via polyglot (Credits: DCSO CyTec Blog)
  • The initial intrusion is via an ISO file that masquerades itself as a legitimate file (msinfo32.exe) which will be delivered via an email attachment.
  • The ISO file contains two files one HTML (x.html) and LNK file (Factura.lnk).
  • The HTML file is actually a polyglot file (a polyglot file is a file which can have two or more different valid file formats)
  • The LNK file executes the polyglot ‘x.html’ initially as a DLL and then as HTML file.
  • The file performs targets the Software Licensing Client DLL (slc.dll) and performs dynamic link library (DLL)-sideloading, then the malware is executed.

Malware Analysis:

On further inspection of the ‘x.html’ file we observe that the html code is simply appended to the DLL file hence, the StrelaStealer malware files are DLL files whose code is not obfuscated but a cyclic xor with a hardcoded key is used to encrypt the strings.

The executed malware will then steal the login data of outlook and thunderbird.

Outlook:

The registry key,

HKCUSOFTWAREMicrosoftOffice16.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676’  is used for enumeration.

This will give the values ‘IMAP User’‘IMAP Server’ and ‘IMAP Password’. Strelastealer uses ‘CryptUnprotectData’ to decrypt ‘IMAP password’ and share it via C2.

Thunderbird:

The strelastealer searches the ‘%APPDATA%ThunderbirdProfiles’ directory for ‘logins.json’ and ‘key4.db’ and shared it via C2

The communication to command and control is via plain HTTP POSTs, The XOR used in the strings will be used here also to encrypt the payload. From all the samples observed the servers and C2 is all hardcoded.

See Also What Is Path Traversal Vulnerability? How To Prevent The Path Traversal Vulnerability?

The format used to share the payload via C2 for outlook is

[prefix"OL"]
[Server1,User1,Password1]
[Server2,User2,Password2]
...

Thunderbird:

[prefix "FF"]
[DWORDsize logins.json]
[contents of logins.json] [contents of key4.db]

The attackers use a method to check if the transfer of data is successful or not by checking the last two bytes of the response to be ‘kh’, if not the strelastealer will try again sending the data after a gap of 1 sec.

IOC

  • fa1295c746e268a3520485e94d1cecc77e98655a6f85d42879a3aeb401e5cf15
  • c8eb6efc2cd0bd10d9fdd4f644ebbebdebaff376ece9e48ff502f973fe837820
  • 8b0d8651e035fcc91c39b3260c871342d1652c97b37c86f07a561828b652e907
  • 879ddb21573c5941f60f43921451e420842f1b0ff5d8eccabe11d95c7b9b281e
  • b7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337
  • d8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28
  • ac040049e0ddbcb529fb2573b6eced3cfaa6cd6061ce2e7a442f0ad67265e800
  • bfc30cb876b45bc7c5e7686a41a155d791cd13309885cb6f9c05e001eca1d28a
  • 6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
  • c69bac4620dcf94acdee3b5e5bcd73b88142de285eea59500261536c1513ab86
  • be9f84b19f02f16b7d8a9148a68ad8728cc169668f2c59f918d019bce400d90e
  • 1437a2815fdb82c7e590c1e6f4b490a7cdc7ec81a6cb014cd3ff712304e4c9a3
  • 9375cff0413111d3b88a00104b2a6676
  • b7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337
  • 6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
  • d8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28

Pdb path:

  • C:UsersadminsourcereposDll1ReleaseDll1.pdb
  • “C:UsersSerhiiDocumentsVisual Studio 2008ProjectsStrelaDLLCompileReleaseStrelaDLLCompile.pdb”

C2 server:

  • 193.106.191[.]166
  • hxxp://193.106.191[.]166/server.php

ITW URL:

  • hxxp://45.142.212[.]20/dll.dll

MITRE ATT&CK

  • T1003     – Credential Dumping
  • T1041     – Exfiltration Over C2 Channel
  • T1041     – Exfiltration Over Command and Control Channel
  • T1059.003 – Windows Command Shell
  • T1071     – Standard Application Layer Protocol
  • T1566.001 – Spearphishing Attachment
  • T1574.002 – DLL Side-Loading
  • Phishing
  • Obfuscation
  • Credential Stealing

Attack Vectors

  • Phishing
  • Obfuscation
  • Credential Stealing

Tips to Protect Your Assets From StrelaStealer Malware

  • A strong password policy should be set in place, repetition of keyboard patterns, names etc. should be avoided.
  • Multifactor authentication should be enabled or any other strong authentication mechanism should be used.
  • Patch management in organizations must be in place
  • Secure password recovery mechanism should be in place
  • Proper awareness must be given to all staff
  • Avoid using same passwords for multiple platforms

It is a human nature to forget things, especially when it comes to passwords hence for the ease of use many of us will tend to use the same password repeatedly. If a credential stealer malware harvests your credential to have a minimum damage, repetition of passwords must be avoided.

Leave a Reply