StrelaStealer is a specialized malware threat, used by attackers to compromise the email account credentials of their victims. The threat is designed specifically to extract account credentials from Microsoft Outlook and Mozilla Thunderbird email clients. Information about StrelaStealer and the way it operates was provided in a report published by cybersecurity researchers. According to their findings, the threat was mostly targeted at Spanish-speaking users, via a spam email campaign.
StrelaStealer uses two different techniques to obtain the targeted data, depending on whether it is attacking Outlook or Thunderbird. When trying to extract credentials from Outlook, the malware will first access the Windows Registry to retrieve the necessary application key, as well as the 'IMAP User,' 'IMAP Server' and 'IMAP Password' values. To decrypt the targeted information, which is kept on the device in an encrypted form, StrelaStealer will exploit the Windows CryptUnproctectData feature.
Alternatively, when it is targeting Mozilla Thunderbird, the threat will first perform two separate searches within the '%APPDATA%\Thunderbird\Profiles\' directory. The first search will be for 'logins.json' containing the victim's account and password, while the second search will be for 'key4.db,' which is a password database'
Gaining access to the target's email will provide the attackers with the ability to perform numerous, fraudulent activities. They can compromise the data found in the email messages of the breached account or try to take over additional accounts that are associated with the email. They also could assume the identity of the victim and begin sending luring messages, spreading misinformation or malware threats, asking for money, etc.