Hackers are creating fake CrowdStrike recovery resources to trick businesses into loading malware onto their network

Washington D.C. Bus Shelter Kiosks Still Displaying The Blue Windows Error Message Caused By Crowdstrike Update
(Image credit: Getty Images)

Amid the ongoing fallout from one of the largest IT outages we’ve ever seen, CrowdStrike has warned that cyber criminals are targeting affected companies with fake fixes.

The cyber security firm released a blog warning customers that threat actors were distributing a fake recovery manual to deliver malware onto their network.

According to the report, CrowdStrike Intelligence identified a Word document containing macros that download an unidentified infostealer malware strain, which the blog refers to as “Daolpu”.

The lure document uses malicious macros to retrieve and execute DLL files to load the Daolpu infostealer onto the system, which collects credentials including  login data and cookies stored in the Chrome and Mozilla browsers.

The UK’s National Cyber Security Centre (NCSC) issued an alert on 19 July, warning users to be on the lookout for an increased volume of phishing attacks related to the CrowdStrike outages.

“[A]n increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organizations and individuals,” the agency reported.

Malware analysis specialist ANY.RUN explained how users may inadvertently destroy their entire system when seeking a fix to the issues induced by the faulty CrowdStrike update.

The company posted on X that attackers are distributing a data wiper malware disguised as a CrowdStrike update, which “decimates” the system by overwriting files with zero bytes and reporting it over Telegram.

Discussing the same campaign, security researcher g0njxa claimed the group was  targeting the BBVA bank, while a blog published by Crowdstrike on 19 July noted a malicious ZIP archive file being distributed as a hotfix containing Spanish instructions advising the user to run the executable file contained in the archive. 

This ZIP file also contained the HijackLoader malware loader, which installs a remote-access trojan called ‘Remcos RAT’ on the system.

Businesses should look out for malware disguised as quick fixes for CrowdStrike issue

Jason Kent, hacker in residence at API security company Cequence said this was the latest example demonstrating the speed with which cyber criminals can adapt their attacks to current events.

"In the ever-evolving landscape of cybersecurity, the recent incident involving fake CrowdStrike fixes targeting companies with malware and data wipers is a stark reminder that cybercriminals are always on the lookout for timely and deceptive ways to trick individuals and organizations,” he warned”

“This type of attack is not new; hackers consistently exploit current events and trusted brands to dupe unsuspecting users. It is crucial to be extremely vigilant about the links you click on.”

Any solution described as a ‘quick fix’ should be treated with caution, Kent added.

RELATED WHITEPAPER

“Especially when solutions are presented as quick fixes, it's important to verify their authenticity before implementing them. For instance, the malicious domain “crowdstrike.a.com” might appear legitimate at a glance, but it is a far cry from the authentic “a.crowdstrike.com.” The subtle difference underscores the importance of scrutinizing URLs before interacting with them.”

As a result, Max Gannon, cyber threat intelligence manager at Cofense advised those affected by the outages to verify they are communicating with an official CrowdStrike representative.

“When dealing with this sort of issue it is important to verify who you are talking to. It is typically better to be the one to initiate a conversation, as that is much harder for threat actors to hijack than when you receive an email about a time sensitive news topic that may look suspicious but has you rushing so much you might not notice.”

Gannon said it is likely that we will see further campaigns posing as Microsoft and other companies implicated in the outages, urging businesses to stay on high alert of potential scams.

“We have seen threat actors spoofing CrowdStrike and publicly claiming ownership, but we are also likely to see threat actors spoofing Microsoft and every relevant company including “updates” from one’s own company relating to the incident,” he explained.

“As with anything that shows up in the news, if you receive an email about it you should pause to evaluate rather than giving in to the implied urgency of the topic."

CrowdStrike reiterated this advice in its blog describing the Daolu infostealer, adding that users should look out for a file named ‘result.txt in %TMP% that could indicate a Daolpu infection. 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.