Old malware steals email credentials with new tricks

The mission of the “Strelastealer” malware is simple: it accesses the access data stored in common mail programs on its victim’s system, which it then forwards to cyber criminals. These in turn regularly teach the malware new tricks to infect systems.

The “Strelastealer” malware is not completely new. Cybersecurity experts first noticed it in November 2022, as “Bleeping Computer” reports, citing “DCSO Cytec”. At that time, it targeted the systems of Spanish-speaking users, according to the article. This has since changed, according to an analysis by cybersecurity company Palo Alto Networks, which Bleeping Computer quotes from. According to the company, the malware is now generally targeting victims in the USA and Europe. It has already successfully infected over 100 systems, writes Palo Alto Networks.

The main purpose for which cyber criminals use the malware has not changed: On infected systems, the malicious program infiltrates well-known email programs, such as Microsoft Outlook or Thunderbird. It then accesses the stored access data for email accounts and transmits this to the cybercriminals in the background.

Since “Strelastealer” was first discovered in the cybersecurity industry, the malware has evolved. Its criminal programmers are constantly using new tricks to successfully infect systems. They particularly often rely on so-called polyglot attacks. This involves hiding a dangerous file format in a harmless format. In its early days, for example, “Strelastealer” was sent out with an .ISO file. This in turn supposedly contained a link file (.lnk) and an HTML file. In reality, however, the files contained executable program code in DLL format, which could trigger an infection on the target system.

According to the cybersecurity analysts, the newer variants of the malware mix ZIP and Jscript files. This in turn hides a batch file, which then decrypts another encoded file and uses it as an executable DLL file for the attack.

As the cybersecurity companies’ analyses show, “Strelastealer” also knows a number of other techniques for accessing computers under attack without being intercepted by an anti-virus program. They therefore not only call on users to keep their protection software up to date, but also to be careful when dealing with attachments from unknown senders.

By René Jaun and lpe (Netzwoche)