In a recent cyber security advisory, CrowdStrike has warned about a new wave of phishing attacks exploiting the aftermath of the flawed CrowdStrike Falcon update. Cybercriminals are distributing a fake recovery manual that installs a newly identified information-stealing malware known as Daolpu.
Background
Following a problematic CrowdStrike Falcon update last Friday that caused widespread IT outages, threat actors have swiftly taken advantage of the situation. They are leveraging the chaos to deliver malware through fraudulent fixes, posing a significant threat to organisations and individuals alike.
The Attack Vector
The latest campaign involves phishing emails masquerading as official instructions for a new Recovery Tool aimed at fixing Windows devices affected by the recent Falcon crashes. These emails contain an attachment named 'New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm,' which pretends to be a Microsoft support document.
Mechanism of Infection
Upon enabling macros in the attached document, the malicious payload is activated. This payload downloads a base64-encoded DLL file from an external source and deposits it in '%TMP%\mscorsvc.dll.' The macro then uses Windows certutil to decode this DLL file, which subsequently executes the Daolpu stealer.
Data Harvesting
Once active, Daolpu terminates all running Chrome processes and attempts to collect login data and cookies stored in various web browsers, including Chrome, Edge, Firefox, and Cốc Cốc. This data is temporarily saved in '%TMP%\result.txt' before being sent to the attackers' command-and-control (C2) server at 'http[:]//172.104.160[.]126:5000/Uploadss.'
Indicators of Compromise
CrowdStrike's advisory includes a YARA rule to help detect artifacts related to this attack. Key indicators of compromise (IoCs) are listed to aid in identifying and mitigating the threat.
Official Recommendations
CrowdStrike urges customers to rely solely on official communication channels for guidance. Only follow advice found on the CrowdStrike website or other verified sources. Additionally, Microsoft has released a custom recovery tool to assist in restoring affected systems.
Broader Implications
The Daolpu stealer represents just one facet of the extensive exploitation by cybercriminals following the Falcon update mishap. Approximately 8.5 million Windows systems were affected, necessitating manual restoration efforts. Other reported malicious activities include data wipers deployed by the pro-Iranian hacktivist group 'Handala' and the HijackLoader dropping Remcos RAT disguised as a CrowdStrike hotfix.
To Sum Up
The fallout from the faulty CrowdStrike Falcon update is ongoing, with cybercriminals continuing to exploit the situation. CrowdStrike and other security firms remain vigilant, providing updates and tools to mitigate these threats. For the latest official remediation advice from CrowdStrike, visit their dedicated webpage.
Stay informed and protect your systems by verifying the authenticity of any recovery instructions you receive, and remain cautious of any unsolicited communications claiming to offer fixes for the recent outages.
