Hackers have released a stealthy threat that’s picking digital locks to email accounts across Europe. The culprit? Strela Stealer. This sneaky malware has been silently harvesting email credentials since late 2022, primarily targeting Microsoft Outlook and Mozilla Thunderbird users. Nice email you’ve got there. Shame if someone stole it.
The infection starts with a humble phishing email. Nothing revolutionary there. But what makes Strela unique is its geographic pickiness. It actually checks your system’s locale settings to confirm you’re in one of its preferred hunting grounds: Germany, Spain, Italy, or Ukraine. If you’re not in the target zone, it simply terminates. Talk about exclusive malware.
Once activated, Strela digs through Windows Registry like a digital archaeologist, hunting for Outlook profile data. It extracts IMAP usernames, server addresses, and passwords. Then – surprise! – it decrypts your protected data using Microsoft’s own CryptUnprotectData API. The irony. The malware uses regsvr32 utility to launch a downloaded DLL file as part of its execution process.
The stolen goods get bundled up, encrypted, and sent via HTTP POST requests to command and control servers. These servers are reportedly linked to Russian bulletproof hosting services. Each victim gets a special identifier based on their system’s volume GUID. So thoughtful of them to keep your stolen data organized.
Strela’s developers aren’t sitting still. They’ve evolved from using basic polyglot files to adopting valid code signing certificates. They’ve even created something called “Stellar Crypter” to better hide their tracks. Recent campaigns have significantly expanded their reach, targeting over 500 US organizations in January 2024 alone. Financial institutions face 6.3x higher risk of these infostealer attacks in 2024, making them prime targets for credential theft.
Security researchers attribute this operation to threat actor group Hive0145, who clearly take their stealing seriously.
The malware employs impressive obfuscation techniques – control-flow flattening, arithmetic operation inflation, and removed debugging information. All this technical wizardry for one simple goal: to steal your email login. Because apparently, building sophisticated malware to pilfer passwords is easier than finding honest work these days.
