A new virus attacks mailboxes

This virus affects Outlook and Mozilla Thunderbird email management services and attacks users’ personal data.

They are cybersecurity researchers working for DCSO CyTec who spotted the virus. Called “StrelaStealer”, this virus aims to collect personal data such as user IDs and passwords. For this, the user receives an attachment in an email, namely an ISO file (an ISO is a file that can contain a copy of a CD, a DVD or even a copy of a physical BD).

At present, only Spanish-speaking users of these two email management platforms are affected, however there is no indication that this virus could not spread to other territories and reach other targets.

Virus modus operandi

As we have seen, the virus is contained in an ISO file present in an attachment. In the ISO file is a link to an invoice in .Ink format (DCSO CyTec shows an example of a fake BNP Paribas invoice). It is actually a bait, opening the file in .Ink format launches the execution of a new file in polyglot .html format. This file in polyglot .html format contains an executable file “msinfo32.exe”, which downloads a software library (DLL) to the victim’s device and which contains the StrelaStealer virus.

In addition, x.html opens the invoice in .Ink format in the default browser and the user thus sees this invoice displayed on his computer. Once installed unintentionally by the victim, the virus can then carry out its actions and collect data from it.

Diagram of virus infection process / Source: DCSO CyTec

As for Thunderbird, the virus looks in the “%APPDATA%ThunderbirdProfiles” folder and the “logins.json” and “key4.db” files. This is where he finds the data on the user’s account, including the password. Then, the virus routes the harvested information through a C2 server.

As for Outlook, StrelaStealer looks in the Windows Registry and extracts the data “IMAP User”, “IMAP Server” and “IMAP Password”. Since the IMAP password is encrypted, the virus uses the Windows CryptUnprotectData command. Similarly, the virus routes the collected information via a C2 server. StrelaStealer waits for confirmation from the C2 server of the correct reception of the collected data and if it does not receive confirmation, the virus repeats the transfer operation until it succeeds.

Follow Geeko on Facebook, Youtube and instagram so you don’t miss any news, tests and tips.

Leave a Comment

Your email address will not be published. Required fields are marked *