A few days ago, we reported that cybercriminals were taking advantage of the widespread disruption caused by a faulty CrowdStrike update. They distributed a malicious ZIP archive named "crowdstrike-hotfix.zip" and launched a massive phishing campaign targeting CrowdStrike customers.
Yesterday, CrowdStrike notified its customers about a new method used by cybercriminals. A new Word document is circulating, impersonating a Microsoft recovery manual for CrowdStrike BSOD (Blue Screen of Death) issues. This Word document contains macros that, when executed, download a stealer now tracked as Daolpu.
Malicious Word document details:
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
SHA256 hash:
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
To protect yourself against the type of malware attack described in the report, follow these recommendations:
- Verify CrowdStrike Communication: Only interact with CrowdStrike representatives through official channels and follow their technical guidance.
- Check Website Certificates: Before downloading software, verify the website's certificate to ensure it's from a legitimate source.
- Train Users: Educate IT employees to avoid opening or running files from untrusted sources.
- Enable Browser Protection: Use your browser's settings to activate download protection, which can warn you about potentially harmful websites or downloads.
- Hunt for Daolpu Indicators: Look for the file "result.txt" in your computer's temporary folder (%TMP%). Its presence could indicate a Daolpu infection.
Yesterday, we reported that CrowdStrike developed a new technique to accelerate remediation of impacted systems. Additionally, CrowdStrike now enables customers to build their own bootable image files to automate the recovery of Windows machines.
- CSPERecovery - This image uses Windows PE to remove the impacted Channel File 291 with minimal user interaction. If the volume has BitLocker Encryption, the bootable image will prompt for the BitLocker Recovery Key before performing the automated remediation.
- CSSafeBoot - This image uses Windows PE to reboot the host into Safe Mode with Networking to allow manual removal of Channel File 291 using Windows Explorer or Command Prompt. If the volume has BitLocker Encryption, the Recovery Key is not required. Useful for systems having difficulty entering Safe Mode
You can learn more about these bootable image files here.
Source: CrowdStrike
7 Comments - Add comment