A virus that wants your usernames and passwords has just been spotted by cybersecurity researchers in November 2022.
For the time being, it primarily targets Spanish-speaking users of Outlook and Thunderbird, but nothing excludes a spread to new targets.
A polyglot file makes it possible to play a perfect score for hackers
This is a new virus that has the potential to wreak serious havoc. Indeed, cybersecurity researchers at DCSO CyTec claim to have recently isolated a virus whose objective is to steal the usernames and passwords of users of two particularly popular email management services. These are Microsoft Outlook and Mozilla Thunderbird. Named “StrelaStealer”, this virus is based on a simple operating mode: an attachment in an email, namely an ISO file.
In particular, the ISO contains a shortcut to an invoice, in .lnk format, which serves as a decoy. What is particularly perverse is that opening this file in .lnk format also launches the execution of another file in polyglot .html format, visible above. The latter first contains an executable file, “msinfo32.exe”, which downloads a software library (DLL) onto the device in which the StrelaStealer virus is contained.
But that’s not all, since x.html also opens the invoice in .lnk format in the default web browser. The potential victim therefore sees this invoice displayed and does not suspect that he has also just installed StrelaStealer on his device. The steps are summarized above.
For the moment, Spanish speakers are the preferential targets
Then, StrelaStealer can calmly operate to find usernames and passwords. For Thunderbird, the virus digs into the “%APPDATA%ThunderbirdProfiles” folder and the “logins.json” and “key4.db” files. He unearths the data on the account and in particular the password of the victim and sends them to the attacker through a C2 server.
For Outlook, StrelaStealer digs into the Windows registry and extracts “IMAP User”, “IMAP Server” and “IMAP Password” data. Since the IMAP password is encrypted, the virus uses the Windows command CryptUnprotectData to decrypt it and then send it to the attacker, again using the C2 server. Before ceasing its activity, StrelaStealer waits for the response from the C2 server to verify that the victims’ data has indeed been transmitted, otherwise it will reissue the transfer operation until it succeeds.
Currently, StrelaStealer preferentially targets Spanish-speaking users. But as it stands, nothing prevents it from proliferating and targeting other profiles.
Source : Bleeping Computer
1