Security researchers at Sonicwall have noticed a significant rise in infections caused by the Strelastealer malware, a well-known infostealer. The malware is designed to steal access data specifically from Outlook and Thunderbird. The targets of this campaign are users located in Germany and three other European Union countries, excluding Russia.
Please follow us on Twitter and Facebook
The infection chain observed by Sonicwall researchers does not differ from previous attacks involving Strelastealer. However, the attackers have recently implemented a check to prevent infections on systems based in Russia.
The attack campaign, as monitored by Sonicwall, focuses on specific regions within the EU: Poland, Spain, Italy, and Germany. The attackers aim to obtain login information from Outlook and Thunderbird email programs, primarily on Windows operating systems.
According to the researchers, the attacks commence with emails containing archive files containing obfuscated JavaScript. Upon execution of the file, the system’s language is checked initially.
Read Also: Reportedly, Kaspersky’s AI Used in Russian Military Drones
Russian Systems Remain Unaffected
If the language code detected is Russian, the infection process stops. Otherwise, Strelastealer proceeds to install using a DLL file containing “highly obfuscated code”.
To identify the origin of the targeted system, the malware uses an API called GetKeyboardLayout to check the selected keyboard language. Sonicwall explains that the malware compares this with several language codes commonly used in Spanish, Polish, Italian, and German systems.
Afterwards, the attackers search through the user’s Appdata directory and the Windows registry to locate user profiles associated with Thunderbird and Outlook. Any discovered data is then transmitted to a server controlled by the attackers.
Read Also: US Wants to Prevent China and Russia from Using Advanced Software to Develop AI
Strelastealer Has Been Active Since At Least The End Of 2022
The researchers did not clarify the method by which attackers convince their victims to open the archive file attached to the emails, initiating the infection process. It’s possible they employ social engineering tactics, potentially leveraging information about the target person obtained from data breaches or other forms of contact.
In early April, Sonicwall researchers released a detailed report on Strelastealer, providing additional technical insights into the malware. The initial instances of attacks involving this malware were detected in November 2022.
Read Also: Russia Carries Out Cyber Attacks on German Facilities
