The troubled CrowdStrike warns of a malicious manual doing the rounds. It is supposedly intended to restore systems affected by last Friday’s failed update. However, it sends login credentials back to criminals via malicious macros.
On its website, Crowdstrike says it concerns a simple Word document. The doc contains macros that, once enabled, download a stealer called Daolpu. This piece of malware steals login credentials and cookies from both Google Chrome and Mozilla Firefox and then sends them back to the attackers.
The manual resembles an official Microsoft post of the same name on the tech giant’s site: ‘New Recovery Tool to help with CrowdStrike issue impacting Windows’. This is the legitimate blog post in question.
Tips to detect infection
In its own post, Crowdstrike shares details about the rogue document, including scripts it runs, storage locations of (temporary) files and other ‘indicators of compromise’.
For example, admins can look for the results.txt file in the %TMP% environment variable. If the text file is present there, the system is likely infected. Crowdstrike further advises communicating with company representatives only through official channels and consulting only technical manuals from reliable sources.
Hackers and cybercriminals are hoping to take advantage of Crowdstrike’s update debacle. According to several security analysts and national cybersecurity authorities, the incident led to a wave of phishing attacks. Companies are presented with a legitimate-looking hotfix for the problem, but these often involve malicious scripts to install remote access tools and data wipers.
The company announced via LinkedIn that it is testing a new remediation technique, but no updates have appeared since yesterday.
Read more: Fake CrowdStrike fixes spread malware