CrowdStrike is alerting users about a new threat involving a fraudulent recovery manual that claims to fix Windows devices but instead installs an information-stealing malware called Daolpu. This issue arose following a faulty CrowdStrike Falcon update last Friday, which caused global IT outages.

Campaign Details

Cybercriminals quickly exploited the situation by sending phishing emails disguised as a Microsoft recovery manual titled “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm.” Enabling the macros in this document downloads a base64-encoded DLL file, which is then executed to install the Daolpu malware.

Once active, Daolpu collects sensitive information like account credentials, browser history, and authentication cookies from browsers such as Chrome, Edge, Firefox, and Cốc Cốc. The collected data is temporarily stored and then sent to a command-and-control server before being deleted from the device.

Distribution and Effects

The Daolpu stealer is primarily spread through phishing emails. The malicious document appears to be a legitimate Microsoft support bulletin but contains harmful macros. These macros use Windows certutil to decode and execute the malware, which terminates all running Chrome processes to gather saved login data and cookies. The malware’s focus on the Vietnamese browser Cốc Cốc may hint at its origin.

CrowdStrike’s Response

CrowdStrike has provided a YARA rule to detect signs of this attack and listed the associated indicators of compromise. They advise customers to verify any communications and guidance directly from CrowdStrike’s website or other trusted sources to avoid falling victim to these scams.

Broader Exploitation

This attack is part of a larger pattern of cybercriminals taking advantage of the confusion caused by the CrowdStrike Falcon update. Other reported activities include data wipers from the pro-Iranian group ‘Handala’ and HijackLoader dropping Remcos RAT disguised as a CrowdStrike fix. There has also been an increase in phishing attempts impersonating CrowdStrike representatives and a surge in new domain registrations for these campaigns.

For the latest official remediation advice from CrowdStrike and to stay updated on new recommendations, visit their official page.

Conclusion

The impact of the CrowdStrike Falcon update is extensive, affecting around 8.5 million Windows systems that need manual restoration. As cybercriminals continue to exploit the situation, it is crucial for users to remain cautious and follow official guidance to protect their systems from these ongoing threats.

Sources

CrowdStrike Blog