CavalierGPT: The First Comprehensive Infostealers AI Bot - Read More →

Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer

On July 22, 2024, CrowdStrike Intelligence identified a Word document containing macros that download an unidentified stealer now tracked as Daolpu. The document impersonates a Microsoft recovery manual.1 Initial analysis suggests the activity is likely criminal.

Technical Analysis

Lure Document

The analyzed file,

New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

(SHA256 hash:

803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61

), is a Word document containing malicious macros.

Upon execution, the macro retrieves a second-stage DLL from URL http[:]//172.104.160[.]126:8099/payload2.txt that is saved to %TMP%\mscorsvc.dll. On 22 July 2024, the URL served a file (SHA256 hash:

5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721

) containing a Base64-encoded DLL that, when decoded, executes the novel stealer Daolpu.

A macro decodes the DLL using the Windows utility certutil, resulting in another DLL file (SHA256 hash:

4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a

; build timestamp 2024-07-19 08:10:10 UTC). Then, the macro runs this DLL using rundll32 and calls the exported function DllMain.

Daolpu Stealer

Upon execution, Daolpu invokes taskkill /F /IM chrome.exe to kill the Chrome process. The malware then collects credentials such as login data and cookies stored in Chrome and Mozilla browsers.

The collected data is saved to %TMP%\result.txt and removed after exfiltration. The malware sends the result.txt file to the command-and-control (C2) server http[:]//172.104.160[.]126:5000/Uploadss in an HTTP POST request, which includes the system MAC address and hardcoded key Privatekey@2211#$.

Recommendations

  • These recommendations can be implemented to help protect against the activity described in this report.
  • Only communicate with CrowdStrike representatives through official channels and adhere to CrowdStrike support teams’ technical guidance
  • Check websites’ certificates on the download page to ensure downloaded software originates from a legitimate source
  • Train users to avoid executing files from untrusted sources
  • Use browser settings to enable download protection that can issue warnings about potentially harmful websites or downloads
  • Hunt for the file result.txt in %TMP%, which might indicate a Daolpu infection

Appendix

YARA Rule

This YARA rule detects host-based artifacts associated with the activity described in this report.

rule CrowdStrike_CSA_240838_01 : daolpu stealer 
{
    meta:
        copyright = "(c) 2024 CrowdStrike Inc."
        description = "C++ stealer delivered via Word documents with macros impersonating CS"
        reports = "CSA-240838"
        version = "202407221342"
        last_modified = "2024-07-22"
        malware_family = "Daolpu"
    strings:
        $ = "C:\\Windows\\Temp\\result.txt"
        $ = "D:\\c++\\Mal_Cookie_x64\\x64\\Release\\mscorsvc.pdb"
    condition:
        all of them
}

Falcon LogScale Queries

This Falcon LogScale Query detects the activity described in this report.

// hunting rule for indicators (CSA-240838)
case { in("SHA256HashData", values=["00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99", "3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8", "4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a", "5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721", "803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61"]); in("RemoteAddressIP4", values=["172.104.160.126"]) } | table([cid, aid, #event_simpleName, ComputerName])

The following Falcon LogScale query detects the result.txt file with credentials in %TMP%:

// Result file with credentials for Daolpu stealer (CSA-240838)
"event_platform"="Win" | #event_simpleName = "FileOpenInfo" | FileName = "result.txt" | FilePath = /\\Device\\HarddiskVolume\d+\\Windows\\Temp\\$/

Indicators of Compromise (IOCs)

This table details the IOCs related to the information provided in this report.

DescriptionIOC
Word document SHA256 hash803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Macro download URLhttp[:]//172.104.160[.]126:8099/payload2.txt
Second-stage file SHA256 hash5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721
Daolpu SHA256 hash4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
Daolpu SHA256 hash3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8
Daolpu C2 serverhttp[:]//172.104.160[.]126:5000/Uploadss

Table 1. IOCs

MITRE ATT&CK

This table details the tactics and techniques described in this report.

TacticTechniqueObservable
ExecutionT1204 – User ExecutionThe threat actor relies on users to open the Word document
Credential AccessT1555 – Credentials from Password StoresDaolpu grabs sensitive information from browsers
Command and ControlT1071.001 – Application Layer Protocol: Web ProtocolsDaolpu exfiltrates data using the HTTP protocol
ExfiltrationT1041 – Exfiltration Over C2 ChannelDaolpu exfiltrates collected data to the C2 server

Table 2. MITRE ATT&CK Table

Don’t Stop Here

More To Explore

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise