Hackers are using the fallout from the recent CrowdStrike incident to target people looking for a fix with malware – and experts have warned some are quite creative in their campaigns, since on the surface it really seems as if they’re helping fix the problem.
Crowdstrike says it observed a phishing campaign, in which crooks are sharing a document called ‘New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm,’ BleepingComputer reports.
When opened, the document shows a copy of a Microsoft support bulletin that instructs the reader on how to use the new Microsoft Recovery Tool – which should automatically delete the flawed CrowdStrike driver from the Windows PC.
Infected with Daolpu
However, the document is also laden with macros that ultimately deliver an infostealer. A macro is a feature in Microsoft Office that helps automate repetitive tasks. Throughout the years it was abused to deliver malware to that extent that Microsoft essentially killed the feature.
In this instance, however, the crooks are still using macros to install an infostealer called Daolpu. This malware steals account credentials, browser history, and authentication cookies stored in Chrome, Edge, Firefox. It also steals information stored in Cốc Cốc – a web browser popular in Vietnam, which BleepingComputer argues could point to the threat actor’s origins, or at least location.
CrowdStrike pushed a faulty update that bricked many Windows PCs around the world and forced them into an infinite boot loop. Many major organizations, including banks, airlines, and television stations, were unable to operate as a result.
Unsurprisingly to anyone, this event brought cybercriminals out of the woodwork, using it as an opportunity to compromise devices, steal sensitive information, and possibly steal money, too.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned of an ongoing phishing campaign, telling users to “avoid clicking on phishing emails or suspicious links.”
CISA says it has already observed multiple campaigns in which crooks either impersonated CrowdStrike, or presented themselves as IT pros capable of quickly fixing the problem. In at least one of such emails, the fraudsters asked for money in cryptocurrencies, in exchange for a fix.
A separate warning from AnyRun highlighted a malware campaign targeting BBVA bank customers offering a fake CrowdStrike Hotfix update that actually installs the Remcos remote access tool (RAT).
