StrelaStealer Being Distributed To Spanish Users

According to a report dated May 23, 2023, it has been confirmed that StrelaStealer Infostealer malware has been distributed to Spanish users. 

This malware was first discovered in November 2022 and was initially distributed via spam attachments. While ISO files were previously used, ZIP files are now used as attachments. 

The distributed emails are written in Spanish and include a message about a payment fee, urging users to check the attached invoice. The attachment is a ZIP file containing the StrelaStealer malware, which steals email account credentials. 

During its execution, the malware first creates a mutex using an XOR value of the strings "computer name" and "strela", thus ensuring that only one instance of the malware runs on the infected system at a time. 

It then collects information from Thunderbird and Outlook email clients. If it does not find any relevant information, it displays a message box stating that the file is corrupted and cannot be opened. This message box is written in Spanish, which leads users to believe that they are dealing with a corrupted file and prevents them from realizing that the malware is running. 

Thunderbird's account credentials are the first to be stolen and then sent to a command and control (C2) server. Outlook account credentials are also stolen, and some data, such as the IMAP password, is decrypted before being transmitted. The C2 to which the collected information is sent is specified in the text. 

Read more about it : here