Resurgent malware targets Outlook and Thunderbird users but bypasses Russia

Security researchers warn about a spike in the use of credential stealers, dubbed StrelaStealer, to target email clients in Poland, Germany, Spain, and Italy. The malware has checks in place to avoid infecting systems in Russia.

The SonicWall Capture Labs threat research team has discovered a recent spike in malicious activity using StrelaStealer.

Cybercriminals gain initial access via archived and obfuscated JavaScript files sent to the victims through email.

The script checks the system language to exclude Russian users from infection by the stealer.

Malware uses multiple stages and drops its copy and other stealer files with random names, likely to evade detection.

The stealer also checks the keyboard layout for specific language codes used in Spain, Poland, Italy, and Germany to detect the system's geographic location.

“The main stealing functionality starts with the Mozilla Thunderbird email client,” researchers warn in a report.

However, it also checks for Outlook's presence later and exfiltrates all credentials from both clients to the IP address 45.9.74[.]176.

StrelaStealer was reported in the wild in early November 2022 and has been constantly updated with obfuscation and anti-analysis techniques.