AhnLab Security Emergency response Center (ASEC) analysis team has recently confirmed the StrelaStealer Infostealer being distributed to Spanish users. StrelaStealer was initially discovered around November 2022 and has been distributed as an attachment to spam emails. In the past, ISO files were used as attachments, but recently, ZIP files have been utilized instead.
The email that is being distributed is similar to the one shown in Figure 1. The email body and the name of the attached compressed file are in Spanish, and the email contains a message about payment fees, instructing users to check the attached invoice.
The attachment is a ZIP that contains a PIF file. This PIF file is the StrelaStealer malware that performs the actual malicious behaviors and steals email account credentials.
Upon execution, a mutex is first created using the XOR [6-digit] value of the strings “computer name” and “strela”. It then proceeds to collect information from Thunderbird and Outlook. If no relevant information is found, it generates a message box and self-terminates.
The message box is written in Spanish like the email, and contains a message claiming that the file is corrupted and cannot be opened. Seeing this message box, users are led to believe that they have a corrupted file, making it difficult for them to realize that malware had been executed.
The first piece of information that it steals is the account credentials from Thunderbird. The files in the directories below are read and sent to a C2.
- %AppData%\Thunderbird\Profiles\[Profile name]\logins.json
- %AppData%\Thunderbird\Profiles\[Profile name]\key4.db
The second piece of information that is stolen is the account credentials from Outlook. The following registry values are read and the data is sent to a C2. In addition, for the “IMAP Password” value, it decrypts the data using the CryptUnprotectData API before transmitting it.
- HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\IMAP Password
- HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\IMAP User
- HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\IMAP Server
The C2 to which the collected information is sent to is as follows. The string “KH” is checked for as a response value to verify successful reception.
- C2 – hxxp://91.215.85[.]209/server.php
Recently there have been malware distribution cases targeting Spanish users to steal email account credentials. Caution is advised due to the possibility of the exfiltrated information being used to cause additional harm. Users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.