Threat Research

Threat Actor Deploys Unidentified Stealer via Phony Recovery Manual

Securonix

CrowdStrike Intelligence identified a Word document with macros that delivers an unidentified stealer tracked as Daolpu, impersonating a Microsoft recovery manual. The payload downloads a second-stage DLL, decodes it via certutil, executes it with rundll32, and Daolpu then exfiltrates browser credentials to a remote C2 server. #Daolpu #CrowdStrike

Keypoints

  • A Word document named New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm is used as the lure, containing malicious macros.
  • The macro downloads a second-stage payload from URL http[:]//172.104.160[.]126:8099/payload2.txt and saves it as %TMP%mscorsvc.dll.
  • The second-stage file is a Base64-encoded DLL that, when decoded, executes the stealer Daolpu.
  • The macro decodes the DLL with certutil, producing another DLL, then runs it via rundll32 and calls DllMain.
  • Daolpu kills Chrome, collects credentials and cookies from Chrome and Mozilla browsers, and stores results in %TMP%result.txt for exfiltration.
  • Exfiltration occurs via HTTP POST to http[:]//172.104.160[.]126:5000/Uploadss, including the system MAC address and a hardcoded key Privatekey@2211#$.

MITRE Techniques

  • [T1204] User Execution – The threat actor relies on users to open the Word document. “The threat actor relies on users to open the Word document”
  • [T1555] Credentials from Password Stores – Daolpu grabs sensitive information from browsers. “Daolpu grabs sensitive information from browsers”
  • [T1071.001] Application Layer Protocol: Web Protocols – Daolpu exfiltrates data using the HTTP protocol. “Daolpu exfiltrates data using the HTTP protocol”
  • [T1041] Exfiltration – Exfiltrates collected data to the C2 server. “Daolpu exfiltrates collected data to the C2 server”

Indicators of Compromise

  • [File Hash] Word document SHA256 hash – 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  • [URL] Macro download URL – http[:]//172.104.160[.]126:8099/payload2.txt
  • [File Hash] Second-stage file SHA256 hash – 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721
  • [File Hash] Daolpu SHA256 hash – 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
  • [File Hash] Daolpu SHA256 hash – 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8
  • [C2] Daolpu C2 server – http[:]//172.104.160[.]126:5000/Uploadss

Read more: https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint