A Deep Dive into Strela Stealer and how it Targets European Countries

Description

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germany, and Ukraine. Recent attacks involve forwarding legitimate emails with malicious attachments. Strela Stealer employs multi-layer obfuscation and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific German-speaking countries. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.