StrelaStealer On the Hunt for Email Credentials
StrelaStealer is the name of a newly discovered malware application that is made with a single purpose - stealing email login credentials from victims.
StrelaStealer was first discovered in the first half of November 2022. The malware appears to be targeting primarily victims located in Spain. The campaign spreading StrelaStealer is using malicious disk image .ISO files to spread the malware.
The specifics of each attack are a little different. Security researchers discovered the malware ISO holding a file named "msinfo32.exe" - a malicious middleware app that is used to load the stealer.
Another instance of a StrelaStealer ISO file used a Polyglot file that functions as two different file types, in this case, a DLL and an HTML file. The malicious ISO image contains a shortcut .lnk file and a file called "x.html" that is loaded twice, using its two different Polyglot variants - both as a DLL and as an HTML file.
The attack chain culminates with the malware opening a malicious document in HTML format in a browser window.
The malware attempts to scrape login information from Thunderbird and Outlook email clients installed on the infected machine.