Researchers have discovered a new malware campaign that stalks users E-mail(Opens in a new window)Login credentials
Cyber security experts from DSCO CyTec have found that an inventor nicknamed “StrelaStealer” is actively being used to steal login credentials from Spanish-speaking Outlook and Thunderbird users.
The first observation of the expedition was made in January, which suggests that it is still relatively new and may prove to be more dangerous than expected until experts uncover its inner workings.
Polyglot files
The attacks begin just like other campaigns: with a phishing message.
Researchers have so far discovered two different email campaigns. One of them distributes an ISO with an executable called “msinfo32.exe”, and sideloads malware that hijacks DLL commands. The second file is more interesting and shares two ISO files – the Factura.lnk short file and the x.html browsing document.
Later, it was discovered that the file was multilingual and can be opened in different formats depending on the application.
The victim will then run the shortcut file twice. Once as a DLL to load StrelaStealer and again as an HTML, which opens a rogue HTML document in the browser. The victim doesn’t suspect that a malicious file was uploaded to the background.
StrelaStealer, unlike most information hackers who try to extract as much information from their target endpoint as possible, is a rare beast. It only requires your email login credentials.
For Thunderbird users, the malware will search the %APPDATA%ThunderbirdProfiles’ directory for ‘logins.json’ and ‘key4.db’. If it finds them it will send them to the server C2. For Outlook users, the malware will read the Windows registry to find the software key, and then locate the IMAP user, IMAP server, and IMAP password values to extract them.
The following are the results so far MalwareIt was only targeted at the Spanish-speaking communities, prompting speculations in the media that it was being used to carry out highly targeted attacks.
Across: Computer(Opens in a new window)
Source link
[Denial of responsibility! reporterbyte.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – reporterbyte.com The content will be deleted within 24 hours.]
