Cybercriminals Exploit CrowdStrike Falcon Update with Fake Fixes and Malware

After the Falcon update caused widespread IT outages, attackers quickly crafted phishing campaigns, posing as CrowdStrike support, to deliver malicious payloads. One notable campaign involves a fraudulent CrowdStrike recovery manual that installs the Daolpu info-stealer. This malware, disguised as a Microsoft recovery document, is distributed via phishing emails. When the document’s macros are enabled, it downloads and installs a malicious DLL, capturing browser credentials, cookies, and history from Chrome, Edge, Firefox, and Cốc Cốc. The stolen data is then sent to a command-and-control server before being deleted locally.

In a separate attack, cybercriminals spread data-wiping malware, exploiting the same update issue. This malicious software, posing as a legitimate CrowdStrike fix, has been linked to pro-Iranian hacktivist group 'Handala.' This group aims to cause maximum disruption by erasing critical data on compromised systems.

CrowdStrike has issued advisories warning users to verify any recovery instructions through official channels to avoid falling victim to these scams. The company has provided YARA rules and indicators of compromise to help detect and mitigate these threats. Additionally, Microsoft has released a custom recovery tool to assist affected users.

Bleeping Computer 07/21/2024,

Bleeping Computer 07/23/2024