European Organizations Targeted by Updated StrelaStealer Malware Campaign

A newly updated variant of the StrelaStealer malware is actively targeting organizations across Europe, according to a recent report from SonicWall Capture Labs. This information-stealing malware, originally observed in November 2022, has a history of focusing on Spanish-speaking users. The latest campaign reveals a wider net with an emphasis on Outlook and Thunderbird email client users throughout Europe.

Key Changes and Threats

Encryption key started from 0x10th offset in the data section | Image: SonicWall Capture Labs

The updated StrelaStealer variant is dispatched via JavaScript, sneaking into systems through archive files attached to emails. Upon activation, it unloads a 64-bit executable or DLL into the %userprofile% folder, kickstarting the malicious process. The malware employs a complex obfuscation and an array of anti-analysis techniques to cloak its presence from cybersecurity defenses.

The 64-bit executable, serving as a Trojan horse, encases the actual payload, utilizing an encryption key hidden within its data section to decrypt and execute the encoded payload. This method of obfuscation, combined with the use of jump blocks, loops, and dummy functions, creates a difficult task for researchers attempting to dissect the malware’s inner workings.

Technical Analysis

Once decrypted, the payload dynamically resolves API calls to seamlessly integrate into the host system. It meticulously parses the Portable Executable (PE) file structure and the Process Environment Block (PEB) to map and execute the payload with precision, all while evading detection by abstaining from copying the PE header.

A peculiar feature of this malware is its selective execution based on the keyboard layout, targeting specific European countries to continue its nefarious activities. Should the system’s keyboard layout not match its criteria, StrelaStealer terminates itself, a clear indication of its targeted approach.

How StrelaStealer Steals Your Data

  1. Target Validation: The malware checks the keyboard layout to ensure the infected computer is within a European country.
  2. System Identification: It acquires the computer name and creates a unique identifier.
  3. Thunderbird Data Theft: StrelaStealer searches for “logins.json” and “key4.db” files within Thunderbird profile folders to exfiltrate passwords and user data.
  4. Outlook Attack: The malware reads specific Windows registry keys to locate and decrypt IMAP credentials associated with Outlook.
  5. Data Exfiltration: Stolen data is encrypted and then sent to the attacker’s command-and-control server.

Conclusion

The resurgence of StrelaStealer with its enhanced capabilities underscores the ever-evolving threat landscape targeting European users. Staying informed about the latest malware trends and implementing a layered security approach remains crucial in defending against these attacks.