StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe


The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany.

The Initial infection vector is an obfuscated JavaScript file that is sent to the victim through emails in archive files. The JavaScript file drops a self-copy at “C:\Users\<Username>” location with random names like “needlereportcreepy.bat”. The bat file is then executed to check the language of the operating system and to exclude Russian users from infection by the stealer. Upon confirmation of non-Russian users using OSLanguage code “1049”, the base64-encoded PE file is dropped in the same directory with a random name (here, duckquixoticextra-small) and no extension. This base64-encoded data is then decoded and a DLL with some random name (here, bellpeeleight.ico) is dropped. The DLL is then executed using regsvr32.exe.

Figure 1: Checks for OSLanguage

The DLL has highly obfuscated code – the same as what we have observed in recent StrelaStealer binaries. This loader DLL then decrypts the actual PE file from its data section and injects it into the current process.

All the necessary APIs needed for stealer functionality are loaded dynamically. The stealer first checks for the keyboard layout of the system using the GetKeyboardLayout() API.

Figure 2: Checks GetKeyboardLayout

It checks for multiple language codes including 0x0C0A(Spanish-Spain), 0x042D(Basque-Spain), 0x0415(Polish-Poland), 0x0403(Catalan-Spain), 0x040A(Spanish-Spain), 0x0410(Italian-Italy), 0x0407(German-Germany) to detect the geo location of the system.

The main stealing functionality starts with the Mozilla Thunderbird email client. It checks for the presence of logins.json and key4.db at the directory IC:\Users\Jay\AppData\Roaming\Thunderbird\Profiles\” . If found, the data is sent to the IP http://45.9.74[.]176/.

Next, it checks for the presence of the registry key “SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\”. The information about email accounts is stored in subfolders under this key. All of this information is retrieved by enumerating the registry key. The information is then sent to the same IP address.

More information about StrelaStealer can be found in our previous blog.











Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.