References
Glory Sprout string decryptor:
gsprout_string_decryption.py
Glory Sprout Hash resolver:
gsprout_api_resolver.py
GlorySprout sample:
Malwarebazaar
Insight from GlorySprout and Taurus Stelaer:
RussianPanda Research Blog
Let’s play (again) with Predator the thief
An In-Depth analysis of the new Taurus Stealer

Strategy 1: Know What You Are Protecting and Why
Strategy 2: Give the SOC the Authority to Do Its Job
Strategy 3: Build a SOC Structure to Match Your Organizational Needs
Strategy 4: Hire AND Grow Quality Staff
Strategy 5: Prioritize Incident Response
Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence
Strategy 7: Select and Collect the Right Data
Strategy 8: Leverage Tools to Support Analyst Workflow
Strategy 9: Communicate Clearly, Collaborate Often, Share Generously
Strategy 10: Measure Performance to Improve Performance
Strategy 11: Turn up the Volume by Expanding SOC Functionality

Supposedly deleting “C-00000291*.sys” file in C:\Windows\System32\drivers\CrowdStrike directory fixes the issue. But editing system files you always do on your own risk :)

How are you deploying this to BSOD'd boxes?


You can remotely apply the GPOs using tools like Group Policy Management Console (GPMC) from a server or another computer with administrative privileges. If remote access is not possible due to the BSOD, you may need to boot the affected systems using a Windows recovery environment or a bootable media, manually apply the noscripts to force Safe Mode, and then restart the systems to allow the GPOs to execute the fix. I haven't tested it across multiple affected devices yet, but theoretically, booting into Safe Mode by GPO and then deleting the problematic driver should work. The idea is based on standard troubleshooting steps that target specific faulty drivers causing the BSOD.