Scammers are flooding the internet with CrowdStrike typosquatting scams and fake repair manuals

Be careful how you fix your CrowdStrike problem

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are using thefalloutfrom the recent CrowdStrike incident to target people looking for a fix withmalware- and experts have warned some are quite creative in their campaigns, since on the surface it really seems as if they’re helping fix the problem.

Crowdstrike says it observed a phishing campaign, in which crooks are sharing a document called ‘New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm,’BleepingComputerreports.

When opened, the document shows a copy of aMicrosoftsupport bulletin that instructs the reader on how to use the new Microsoft Recovery Tool - which should automatically delete the flawed CrowdStrike driver from the Windows PC.

Infected with Daolpu

Infected with Daolpu

However, the document is also laden with macros that ultimately deliver an infostealer. A macro is a feature in Microsoft Office that helps automate repetitive tasks. Throughout the years it was abused to deliver malware to that extent that Microsoft essentially killed the feature.

In this instance, however, the crooks are still using macros to install an infostealer called Daolpu. This malware steals account credentials, browser history, and authentication cookies stored in Chrome, Edge, Firefox. It also steals information stored in Cốc Cốc - a web browser popular in Vietnam, whichBleepingComputerargues could point to the threat actor’s origins, or at least location.

CrowdStrike pushed a faulty update that bricked many Windows PCs around the world and forced them into an infinite boot loop. Many major organizations, including banks, airlines, and television stations, were unable to operate as a result.

Unsurprisingly to anyone, this event brought cybercriminals out of the woodwork, using it as an opportunity to compromise devices, steal sensitive information, and possibly steal money, too.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The US Cybersecurity and Infrastructure Security Agency (CISA) hasalso warned of an ongoing phishing campaign, telling users to “avoid clicking on phishing emails or suspicious links.”

CISA says it has already observed multiple campaigns in which crooks either impersonated CrowdStrike, or presented themselves as IT pros capable of quickly fixing the problem. In at least one of such emails, the fraudsters asked for money in cryptocurrencies, in exchange for a fix.

A separate warning from AnyRun highlighted a malware campaign targeting BBVA bank customers offering a fake CrowdStrike Hotfix update that actually installs the Remcos remote access tool (RAT).

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report