StrelaStealer Malware Intensifies Attacks on European Email Users, Avoiding Russia

A renewed wave of cyberattacks orchestrated by the StrelaStealer malware is raising concerns across Europe, with a particular focus on compromising email credentials from popular platforms like Outlook and Thunderbird. The SonicWall Capture Labs threat research team has documented a substantial surge in StrelaStealer activity during the third week of June, predominantly targeting users in Poland, Spain, Italy, and Germany.

The attack commences with an obfuscated JavaScript file, often disguised as an innocuous email attachment. Once executed, the file sets off a sophisticated chain of events, including dropping a self-copy onto the victim’s system, decoding a malicious PE file, and ultimately deploying the StrelaStealer DLL. This DLL, heavily obfuscated to evade detection, dynamically loads the necessary components for carrying out its malicious activities.

In a notable development, StrelaStealer has incorporated checks to deliberately avoid infecting systems within Russia, narrowing its focus exclusively to European targets. The malware meticulously examines keyboard layouts and language codes to determine the victim’s geographical location before proceeding with its credential theft operations.

Upon activation, StrelaStealer methodically scans the compromised system, first targeting Thunderbird email clients. It searches for critical files like logins.json and key4.db, exfiltrating any stored email credentials. Subsequently, the malware turns its attention to Outlook accounts, systematically enumerating registry keys associated with email configurations and transmitting the stolen information to a remote server under the attackers’ control.

All pilfered data is funneled to a command and control (C2) server, currently traced to the IP address 45.9.74[.]176. This server acts as the final repository for the stolen information, potentially leading to further exploitation in the form of identity theft, financial fraud, or even deeper network infiltration.

The resurgence of StrelaStealer highlights the evolving landscape of cyber threats and the increasing sophistication of malware campaigns. This targeted attack emphasizes the importance of robust email security practices and user vigilance. Individuals and organizations are advised to exercise caution when interacting with email attachments, especially those from unknown or suspicious sources.

To mitigate the risk of falling victim to this campaign, users should regularly update their antivirus software and employ strong, unique passwords for their email accounts. Additionally, organizations are encouraged to implement comprehensive email security solutions, such as advanced threat protection and sandboxing technologies, to detect and block malicious attachments before they can cause harm.