This new sophisticated malware campaign is targeting Outlook users

Security researchers have uncovered a highly sophisticated malware campaign targeting Microsoft Outlook users to steal their login credentials. The malware, named “Strela Stealer” (derived from the Russian word for “arrow”), has been active since late 2022 and is specifically designed to extract email credentials from both Microsoft Outlook and Mozilla Thunderbird clients.

Here’s how the malware spreads

Strela Stealer primarily affects users in several European countries, including Spain, Italy, Germany, Poland, and Ukraine. It spreads through targeted phishing emails that have become more advanced over time. In recent attacks, cybercriminals have forwarded legitimate-looking emails containing invoice notifications, but with a dangerous twist—the original attachments have been swapped out for ZIP files carrying the malware loader. These deceptive emails are written in the recipient’s native language, making them appear authentic and increasing the chances of the victim opening the infected file.

Strela Stealer works in multiple steps

Once activated, the malware follows a multi-stage infection process, using advanced obfuscation techniques to make detection and analysis difficult.

1. Initial Verification:
   • The malware begins by running a highly obfuscated JScript file that checks whether the system is located in one of the targeted countries.
   • It does this by scanning the Windows registry key (“Control Panel\International\Locale”) and comparing the system’s Locale ID (LCID) to a list of predefined values associated with German-speaking regions.
2. Downloading Additional Components:
   • If the system matches one of the targeted regions, the malware downloads more malicious components from a command and control server using the WebDAV protocol.
   • This technique allows the malware to execute in memory rather than being saved to the hard drive, making it harder for traditional antivirus software to detect.
3. Stealing Outlook Credentials:
   • Strela Stealer scans the Windows registry for Outlook profile data in its final stage.
   • It specifically looks for keys storing email configurations, such as:
     "HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676"
   • Once found, the malware extracts login credentials, including IMAP username, IMAP server details, and IMAP passwords.
   • Encrypted data is then decoded using the CryptUnprotectData API function, allowing attackers to read the stolen credentials.
4. Transmitting Stolen Data:
   • The compromised login credentials and system information are then sent to the attacker’s server via HTTP POST requests, allowing them to gain unauthorized access to victims’ email accounts.

Some simple steps to stay protected

To stay safe from Strela Stealer and similar cyber threats, follow these security best practices:

• Be cautious with email attachments – Avoid opening unexpected or suspicious emails, especially those with ZIP file attachments.
• Strengthen email security – Use advanced email protection tools to block phishing attempts.
• Keep antivirus software up to date – Regular updates help detect and prevent new malware strains.
• Educate yourself and others – Awareness about phishing tactics can significantly reduce the chances of falling victim to scams.

By staying vigilant and following these measures, users can reduce the risk of credential theft and keep their email accounts safe from cybercriminals.