Threat Actor Uses Fake Recovery Manual to Deliver Unidentified Stealer

July 24, 2024, 8:16 a.m.

Description

An intelligence report outlines a campaign where an unidentified threat actor impersonated a Microsoft recovery manual through a malicious Word document containing macros. Upon execution, the macros downloaded a novel stealer now tracked as Daolpu. This stealer targets credentials stored in web browsers, saving them to a temporary file before exfiltrating the data to a command-and-control server. The report provides technical analysis, recommendations, indicators of compromise, and MITRE ATT&CK mappings related to this malicious operation.

External References

https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer
https://otx.alienvault.com/pulse/66a0b60af3901e31f756f29d
Tags
impersonation
stealer
exfiltration
credential
2024-07-24
daolpu
malicious-document

Date

  • Created: July 24, 2024, 8:06 a.m.
  • Published: July 24, 2024, 8:06 a.m.
  • Modified: July 24, 2024, 8:16 a.m.

Indicators

  • 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  • 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721
  • 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
  • 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8
  • 00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99
  • 172.104.160.126
Download all indicators here!

Attack Patterns

  • Daolpu