Hackers are using the fallout from the recent CrowdStrike incident to target people with malware looking for a solution. According to experts, some hackers are quite creative in their campaigns, because at first glance it really looks like they are helping to solve the problem.
Crowdstrike says it has observed a phishing campaign, where criminals are sharing a document called ‘New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm’, BleepingComputer defeated.
When you open the document, you will see a copy of a Microsoft support bulletin with instructions for using the new Microsoft Recovery Tool. This tool will automatically remove the faulty CrowdStrike driver from your Windows PC.
Infected with Daolpu
However, the document is also full of macros that ultimately yield an infostealer. A macro is a feature in Microsoft Office that helps automate repetitive tasks. Over the years, it has been abused to deliver malware to such an extent that Microsoft has essentially killed the feature.
In this case, however, the crooks still use macros to install an infostealer called Daolpu. This malware steals account credentials, browsing history, and authentication cookies stored in Chrome, Edge, and Firefox. It also steals information stored in Cốc Cốc, a web browser popular in Vietnam, which BleepingComputer arguments may point to the origin of the threatening actor, or at least the location.
CrowdStrike pushed a faulty update that has bricked many Windows PCs around the world and forced them into an infinite bootloop. Many major organizations, including banks, airlines, and television stations, have been unable to function as a result.
It will come as no surprise that this event brought out cybercriminals who used it as an opportunity to hack devices, steal confidential information and potentially steal money.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned of an ongoing phishing campaign, urging users “not to click on phishing emails or suspicious links.”
CISA says it has observed multiple campaigns in which scammers have impersonated CrowdStrike or posed as IT professionals who could quickly resolve the issue. In at least one of those emails, the scammers asked for cryptocurrency in exchange for a fix.
A separate alert from AnyRun pointed out a malware campaign targeting BBVA bank customers, offering a fake CrowdStrike Hotfix update that actually installs the Remcos remote access tool (RAT).