On July 22, 2024, CrowdStrike Intelligence identified a Word document containing macros that downloaded an unidentified thief now being tracked as Daolpu. The document impersonated a Microsoft recovery guide.1 Initial analysis indicates the activity is likely criminal.
Technical Analysis
Temptation document
The file that was analyzed,
New recovery tool to help resolve CrowdStrike issue affecting Windows.docm
(SHA256 hash:
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
), is a Word document that contains malicious macros.
When executed, the macro retrieves the second-stage DLL file from the URL http(:)//172.104.160(.)126:8099/payload2.txt stored in %TMP%\mscorsvc.dll. On July 22, 2024, the URL provided a file (SHA256 hash:
5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721
) contains a Base64 encoded DLL, which when decoded, executes the new Daolpu thief.
The macro decrypts the DLL using the Windows certutil tool, creating another DLL (SHA256 hash:
4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
; build timestamp 2024-07-19 08:10:10 UTC). The macro then runs this DLL library using rundll32 and calls the exported function DllMain.
Daulpo Stellar
When executed, Daolpu calls taskkill /F /IM chrome.exe to kill the Chrome process. The malware then collects credentials such as login data and cookies stored in Chrome and Mozilla browsers.
The collected data is saved in %TMP%\result.txt and removed after extraction. The malware sends the result.txt file to the C2 server http(:)//172.104.160(.)126:5000/Uploadss in an HTTP POST request, which includes the system MAC address and the static key Privatekey@2211#$.
Recommendations
These recommendations can be implemented to help protect against the activity described in this report. Only contact CrowdStrike representatives through official channels and adhere to the technical guidelines of CrowdStrike support teams. Check website certificates on the download page to ensure that downloaded software comes from a legitimate source. Teach users to avoid executing files from untrusted sources. Use browser settings to enable download protection, which can issue warnings about potentially malicious websites or downloads. Look for a result.txt file in %TMP%, which may indicate a Daolpu infection
appendix
Yara base
This YARA rule detects host-based artifacts associated with the activity described in this report.
CrowdStrike_CSA_240838_01 rule: daolpu thief { meta: copyright = “(c) 2024 CrowdStrike Inc.” description = “C++ thief delivered via Word documents with macros impersonating CS” reports = “CSA-240838” version = “202407221342” last_modified = “2024-07-22” malware_family = “Daolpu” strings: $ = “C:\\Windows\\Temp\\result.txt” $ = “D:\\c++\\Mal_Cookie_x64\\x64\\Release\\mscorsvc.pdb” condition: all of them }
Falcon LogScale queries
This Falcon LogScale query detects the activity shown in this report.
// Index Search Rule (CSA-240838) case { in(“SHA256HashData”, values=(“00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99”, “3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8”, “4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a”, “5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721”, “803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61”); in(“Remote IP Address”, values=(“172.104.160.126”)) } | table((cid, aid, #event_simpleName, computername))
The following Falcon LogScale query detects a result.txt file containing credentials in %TMP%:
// Result file with Daolpu robber credentials (CSA-240838) “event_platform”=”Win” | event_simpleName = “FileOpenInfo” | FileName = “result.txt” | FilePath = “C:\\Windows\\Temp\\”
Indicators of penetration (IOCs)
This table includes details of international indicators related to the information provided in this report.
Description IOC Word Document SHA256 Hash 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 Macro Download Link http(:)//172.104.160(.)126:8099/payload2.txt Stage 2 File SHA256 Hash 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721 Daolpu SHA256 Hash 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a Hash Daolpu SHA256 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee0 3d1d41cd8 Daolpu C2 Server http(:)//172.104.160(.)126:5000/Uploadss
Table 1. International indicators
Mitre et&c
This table includes details of the tactics and techniques described in this report.
Tactic Technique Observable Execution T1204 – User Execution The threat actor relies on users to open a Word document Access Credentials T1555 – Credentials from password stores Daolpu extracts sensitive information from browsers Command and Control T1071.001 – Application Layer Protocol: Web Protocols Daolpu extracts data using HTTP protocol Extraction T1041 – Extraction via C2 Channel Daolpu extracts aggregated data to a C2 server
Table 2. MITRE ATT&CK Table
Additional Resources
Read other blog posts from CrowdStrike Intelligence regarding the Falcon content issue:
https(:)//techcommunity(.)microsoft(.)com/t5/intune-customer-success/New-recovery-tool-to-help-affect-crowd-strike-problem/ba-p/4196959
