#ShortAndMalicious: StrelaStealer aims for mail credentials

Strela surface-to-air missile launcher (Source: Wikipedia)

In our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples we come across in our daily hunt for malware.

For the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела” == arrow) which appears to be purpose-built to steal mail login data.

PDB path contained in StrelaStealer samples

DCSO CyTec first discovered StrelaStealer early November 2022 distributed via ISO files with what appears to be Spanish targets based on used lure documents. It is unclear at this point in time if StrelaStealer is part of a targeted attack.

Blog authored by Johann Aydinbas and Axel Wauer.

Execution via polyglot

StrelaStealer samples are distributed in ISO files with varying content. In one instance, StrelaStealer uses a renamed msinfo32.exe to sideload StrelaStealer as slc.dll. Another, more interesting variant distributes StrelaStealer as a DLL/HTML polyglot.

Polyglots files are files that are valid as two or more different file formats. In this case, StrelaStealer uses a file that is both valid as a DLL as well as an HTML page.

Execution of StrelaStealer via polyglot

The ISO file contains two files, one Factura.lnk and the polyglot x.html file. The LNK file then executes x.html twice, once as a DLL and a second time as an HTML file.

Parsed LNK file — command to execute the polyglot

Inspecting x.html then shows that it simply contains HTML code appended to the DLL file:

Appended HTML code

Double-clicking it opens the browser and displays the lure document:

Lure document rendered by Firefox

Malware analysis

StrelaStealer samples are DLL files, with the main functionality triggered by calling its main export function named Strela or s. While its code is not obfuscated, strings are encrypted with a cyclic xor with a hardcoded key:

Hardcoded xor key

Once executed, StrelaStealer attempts to locate and steal mail login data from Thunderbird and Outlook.

For Thunderbird, StrelaStealer searches for logins.json and key4.db in the %APPDATA%ThunderbirdProfiles directory and sends the file contents to its C2.

For Outlook, StrelaStealer enumerates the registry keyHKCUSOFTWAREMicrosoftOffice16.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676 in order to find the values IMAP User, IMAP Server and IMAP Password. StrelaStealer then decrypts the IMAP Password using CryptUnprotectData before sending the triple to its C2.

Communication

Communication is done using plain HTTP POSTs, with the payload encrypted using the same xor key as for the strings. C2 server and resource name are hardcoded and so far all samples were configured for the same one:

hxxp://193.106.191[.]166/server.php

The IP address is hosted on known Russian bulletproof hosting “Kanzas LLC” with the /24 likely being hosted in Moscow.

Stolen files from Thunderbird are sent home in the following format:

[prefix "FF"]
[DWORD size logins.json]
[contents of logins.json]
[contents of key4.db]

Outlook data uses the following format:

[prefix "OL"]
[Server1,User1,Password1]
[Server2,User2,Password2]
...

When sending home data, StrelaStealer checks for the last two bytes of the response to be KH which appears to signal a successful transfer and causes StrelaStealer to quit, otherwise it retries to send the data again after a 1 second sleep.

IoCs

As usual, you can find below the IoCs. We share a MISP event on our GitHub.

sha256
fa1295c746e268a3520485e94d1cecc77e98655a6f85d42879a3aeb401e5cf15
c8eb6efc2cd0bd10d9fdd4f644ebbebdebaff376ece9e48ff502f973fe837820
8b0d8651e035fcc91c39b3260c871342d1652c97b37c86f07a561828b652e907
879ddb21573c5941f60f43921451e420842f1b0ff5d8eccabe11d95c7b9b281e
b7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337
d8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28
ac040049e0ddbcb529fb2573b6eced3cfaa6cd6061ce2e7a442f0ad67265e800
bfc30cb876b45bc7c5e7686a41a155d791cd13309885cb6f9c05e001eca1d28a
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
c69bac4620dcf94acdee3b5e5bcd73b88142de285eea59500261536c1513ab86
be9f84b19f02f16b7d8a9148a68ad8728cc169668f2c59f918d019bce400d90e
1437a2815fdb82c7e590c1e6f4b490a7cdc7ec81a6cb014cd3ff712304e4c9a3
Pdb path:
C:UsersadminsourcereposDll1ReleaseDll1.pdb"C:UsersSerhiiDocumentsVisual Studio 2008ProjectsStrelaDLLCompileReleaseStrelaDLLCompile.pdb"
C2 server:
193.106.191[.]166
hxxp://193.106.191[.]166/server.php
ITW URL:
hxxp://45.142.212[.]20/dll.dll

MITRE ATT&CK

T1003     - Credential Dumping 
T1041 - Exfiltration Over C2 Channel
T1041 - Exfiltration Over Command and Control Channel
T1059.003 - Windows Command Shell
T1071 - Standard Application Layer Protocol
T1566.001 - Spearphishing Attachment
T1574.002 - DLL Side-Loading

Source: https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc