|
| |
| |
| |
| |
| |
Type of information Stolen | Login Credentials
Corporte Data |
Overview
The Daolpu Infostealer malware has emerged as a significant threat in the cybersecurity landscape, particularly highlighted by its discovery on July 24, 2024. Exploiting vulnerabilities during a recent CrowdStrike outage, this sophisticated piece of malware employs a weaponized Microsoft Word document to deliver its malicious payload. The Daolpu Infostealer demonstrates how cybercriminals can leverage ongoing security incidents to craft targeted phishing campaigns, capitalizing on the urgency and confusion that often accompany such events. This malware is designed to harvest sensitive information from infected systems, marking a troubling advancement in the capabilities of cyber adversaries.
At its core, Daolpu utilizes macro-based attacks, a technique that has persisted due to its effectiveness. By embedding malicious code within Office documents, attackers can exploit users’ trust and manipulate them into enabling macros, which then triggers the execution of the malware. The Daolpu Infostealer’s operational method illustrates a calculated approach, where the attackers not only take advantage of current vulnerabilities but also create a façade of legitimacy, making the weaponized documents appear as urgent solutions to ongoing security issues. This tactic not only increases the likelihood of successful infection but also highlights the ongoing challenges organizations face in maintaining robust security protocols.
Once deployed, the Daolpu
malware systematically gathers sensitive information from various applications and browsers, targeting credentials and personal data that could lead to identity theft or financial fraud. The malware’s design allows it to perform extensive data exfiltration efficiently, often without raising alarms. As such, the rise of Daolpu serves as a cautionary tale, urging organizations to enhance their cybersecurity measures and educate users about the potential risks associated with opening unsolicited documents and enabling macros. The Daolpu Infostealer exemplifies the evolving landscape of cyber threats, necessitating a proactive and informed approach to cybersecurity.
Targets
Individuals
Information
How they operate
Infection Vector: Phishing and Macro Execution
The primary delivery mechanism for Daolpu is a malicious Word document, typically spread through phishing emails. The document contains macros, which are small scripts designed to automate tasks within Microsoft Office applications. When a victim opens the document and enables macros—a step often overlooked due to user ignorance or urgency—the macro executes automatically, triggering the malware’s payload without further user interaction. This execution process leverages the macro scripting capabilities of Word, taking advantage of the common practice of enabling macros for legitimate documents.
Once the macro is executed, it initiates a download sequence for the Daolpu payload, which is hosted on an attacker-controlled server. The malware is delivered as a DLL file, which integrates with the infected system’s processes. The absence of sophisticated obfuscation techniques suggests that Daolpu was developed quickly, indicating a focused attack strategy that capitalizes on the chaotic situation following the
CrowdStrike incident.
Data Collection Mechanisms
Upon execution, Daolpu’s primary objective is to gather sensitive information from the compromised machine. The malware employs credential dumping techniques to extract saved passwords and sensitive data from popular web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge. Notably, the inclusion of the Coc Coc Browser—widely used in Vietnam—highlights a potential targeting of specific regional entities.
In addition to browser credentials, Daolpu systematically searches the local file system for documents that match specific file extensions, such as .doc, .docx, .xls, .xlsx, .pdf, .txt, .ppt, and .pptx. This targeted search allows the malware to compile a comprehensive dataset of potentially sensitive information, ranging from personal identification data to proprietary corporate documents.
Exfiltration and Command and Control
After collecting the desired data, Daolpu exfiltrates this information back to the attacker’s command and control (C2) server. This process occurs over HTTP channels, using multipart POST requests to transmit the stolen data. Notably, the lack of encryption in this transmission underscores the malware’s hurried development, which may have prioritized speed over security. The C2 server, hosted by Linode LLC, facilitates a one-way communication channel, where data flows from the infected host to the attacker without receiving any commands or updates in return.
The exfiltrated information includes a consolidated file containing all harvested credentials and sensitive data, allowing attackers to use this information for malicious purposes, such as identity theft or financial fraud. The malware also captures the victim’s MAC address to uniquely identify the compromised system, ensuring the attackers can track and manage multiple infected devices.
Conclusion
The Daolpu Infostealer represents a sophisticated yet rapidly deployed malware threat that exploits user behavior and system vulnerabilities. By leveraging phishing tactics, malicious macros, and targeted data collection techniques, Daolpu demonstrates the ongoing evolution of cyber threats in today’s digital landscape. Understanding the operational mechanics of such malware is crucial for organizations and individuals to bolster their defenses against similar attacks. As cybercriminals continue to refine their strategies, proactive measures—including user education, robust email filtering, and advanced threat detection solutions—are essential to mitigate the risk of falling victim to such threats.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): Daolpu Infostealer is spread via phishing campaigns, using weaponized Word documents to trick users into enabling macros.
User Execution (T1203): The malware relies on users enabling macros to execute the malicious payload when they open the document.
Execution:
Scripting (T1064): The macro script within the Word document executes the malware upon document opening.
Collection:
Credential Dumping (T1003): Daolpu collects credentials from web browsers like Firefox, Chrome, and Edge.
Data from Local System (T1005): The malware searches for sensitive documents on the infected machine, targeting specific file types (.doc, .pdf, etc.).
Exfiltration:
Exfiltration Over Web Service (T1041): The stolen data is sent to the attacker’s command and control (C2) server using HTTP POST requests.
Automated Exfiltration (T1041): Data is exfiltrated without further user interaction, automatically transferring the stolen information.
Command and Control:
Web Service (T1102): The malware communicates with a C2 server hosted on a cloud provider.
Ingress Tool Transfer (T1105): The malware may download additional payloads or tools from the C2 server.
References:
