Threat Actor Uses Fake Recovery Manual to Deliver Unidentified Stealer

July 24, 2024, 8:16 a.m.

Tags
impersonation
stealer
exfiltration
credential
2024-07-24
daolpu
malicious-document
External References
Description

An intelligence report outlines a campaign where an unidentified threat actor impersonated a Microsoft recovery manual through a malicious Word document containing macros. Upon execution, the macros downloaded a novel stealer now tracked as Daolpu. This stealer targets credentials stored in web browsers, saving them to a temporary file before exfiltrating the data to a command-and-control server. The report provides technical analysis, recommendations, indicators of compromise, and MITRE ATT&CK mappings related to this malicious operation.

Date

Published: July 24, 2024, 8:06 a.m.

Created: July 24, 2024, 8:06 a.m.

Modified: July 24, 2024, 8:16 a.m.

Indicators

803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61

5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721

4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a

3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8

00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99

172.104.160.126

Download all indicators here!

Attack Patterns

Daolpu

T1555

T1071.001

T1204

T1041