StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe

The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany.

The Initial infection vector is an obfuscated JavaScript file that is sent to the victim through emails in archive files. The JavaScript file drops a self-copy at “C:\Users\<Username>” location with random names like “needlereportcreepy.bat”. The bat file is then executed to check the language of the operating system and to exclude Russian users from infection by the stealer. Upon confirmation of non-Russian users using OSLanguage code “1049”, the base64-encoded PE file is dropped in the same directory with a random name (here, duckquixoticextra-small) and no extension. This base64-encoded data is then decoded and a DLL with some random name (here, bellpeeleight.ico) is dropped. The DLL is then executed using regsvr32.exe.

Figure 1: Checks for OSLanguage

The DLL has highly obfuscated code – the same as what we have observed in recent StrelaStealer binaries. This loader DLL then decrypts the actual PE file from its data section and injects it into the current process.

All the necessary APIs needed for stealer functionality are loaded dynamically. The stealer first checks for the keyboard layout of the system using the GetKeyboardLayout() API.

Figure 2: Checks GetKeyboardLayout

It checks for multiple language codes including 0x0C0A(Spanish-Spain), 0x042D(Basque-Spain), 0x0415(Polish-Poland), 0x0403(Catalan-Spain), 0x040A(Spanish-Spain), 0x0410(Italian-Italy), 0x0407(German-Germany) to detect the geo location of the system.

The main stealing functionality starts with the Mozilla Thunderbird email client. It checks for the presence of logins.json and key4.db at the directory IC:\Users\Jay\AppData\Roaming\Thunderbird\Profiles\” . If found, the data is sent to the IP http://45.9.74[.]176/.

Next, it checks for the presence of the registry key “SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\”. The information about email accounts is stored in subfolders under this key. All of this information is retrieved by enumerating the registry key. The information is then sent to the same IP address.

More information about StrelaStealer can be found in our previous blog.

IOCs

SHA256:

0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78

a4cd72aea29e992fcdf808370f3a7c9333458535b86c9a11a1fff20299f837e6

f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96

2385a4dcf8076eb51ad6893624d36ba49beac92f1e681297afbb89cd5be46c57

b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800

00e7bdaa8ff895b3b82a0b9cc8ba1971d6401e9cf575ec44a5bc3adc6bfd0771

IPs

45.9.74[.]176

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.