A new malware variant called StrelaStealer has been identified that is being distributed via email that targets credentials for two of the most popular email clients: Outlook and Thunderbird. This previously unknown malware was first identified earlier this month, and so far, has been used to target Spanish speakers.

The campaign was identified by security researchers at DCSO CyTec. The intercepted emails have an ISO (optical disc image) file attachment. These files contain all the data that would normally be written to an optical such as a CD, DVD, or Blu-ray disc, sector by sector, with the content bundled into a single file.

One of the files analyzed by the researchers contained an executable file that sideloads the malware contained in the ISO file via DLL order hijacking. The ISO file also contains a .lnk file and polyglot file. A polyglot file can be treated as several different file formats depending on the application that opens it. In this case, the polyglot file is an x.html file, which is both an x.html file and a DLL program that loads StrelaStealer malware. Execution sees the malware loaded in the memory and simultaneously a decoy document is displayed in the web browser while the malware is executed.

Interestingly the malware does not target browser data, cryptocurrency wallets, and other data commonly obtained by information-stealing malware. Instead, it searches for the %APPDATA%\Thunderbird\Profiles directory looking for login.json and key4.db. The former contains the account and password, and the latter is the password database. Both are then exfiltrated to the attacker’s command and control server.

The malware also searches the Windows Registry and retrieves the Outlook software key, and locates the IMAP User, IMAP Server, and IMAP password values. The passwords for Outlook are encrypted, but the malware uses the CryptUnprotectData function of Windows to decrypt the data before exfiltrating the decrypted data to the C2 server

Cybercriminals are constantly developing new techniques for distributing malware. Security awareness training typically focuses on raising awareness of the most common methods of malware delivery, such as Office files containing malicious macros. Since employees are likely to be much less familiar with ISO files, they may not identify these emails as malicious, or may not report them to their security teams due to the decoy document that is displayed, in the belief that nothing untoward has happened.

To improve protection against campaigns such as this, businesses should consider configuring their email security solution to quarantine emails containing risky file attachments such as executable files, and also configure their web filter to block downloads of these file types from the Internet. That is a simple process with SpamTitan Email Security and the WebTitan web filter.