Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an self-discipline in a voice update for the Falcon sensor affecting House windows working systems. A repair used to be promptly deployed.

Threat actors are if truth be told actively exploiting this incident to purpose CrowdStrike clients by map of assorted malicious activities, much like Sending phishing emails posing as CrowdStrike toughen to clients impersonating CrowdStrike workers in phone calls and extra.

Alternatively, threat actors bag moreover exploited this match to distribute malicious recordsdata concentrated on Latin The US-based (LATAM) CrowdStrike customer’s House windows systems.

A malicious ZIP archive named crowdstrike-hotfix.zip used to be uploaded to a web malware-scanning service by a Mexico-based submitter.

This archive incorporates a HijackLoader payload that, when accomplished, hundreds RemCos. The Spanish filenames and instructions at some level of the ZIP archive counsel a centered campaign against LATAM clients.

Based on the Crowdstrike characterize, This campaign marks the first seen instance whereby a threat actor has capitalized on the Falcon voice self-discipline to distribute malicious recordsdata concentrated on LATAM-based CrowdStrike clients.

Technical Breakdown:

The ZIP archive (SHA256: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2) contains instructions in Spanish, posing as a utility to repair the voice update self-discipline.

Customers are prompted to bustle Setup.exe (SHA256: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9), which hundreds HijackLoader via DLL search-declare hijacking.

HijackLoader is a modular loader designed to evade detection, and it makes employ of a configuration file named maidenhair.cfg (SHA256: 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6) to produce the final RemCos payload.

The RemCos payload contacts a expose-and-management (C2) server at 213.5.130[.]58[:]433.

CrowdStrike has moreover identified several typosquatting domains impersonating its label. This incident marks the first seen instance of a threat actor leveraging the Falcon voice self-discipline to distribute malicious recordsdata.

crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com crowdstrikefix[.]zip crowdstrikereport[.]com

Organizations are recommended to keep in touch with CrowdStrike representatives by map of legitimate channels and apply the technical steering offered by CrowdStrike toughen groups.

“CrowdStrike has apologized for an outage attributable to a defect in a Falcon voice update affecting House windows hosts, whereas clarifying it used to be now not a cyberattack. The topic has been resolved, and customer systems are being restored.” George Kurtz, CrowdStrike Founder and CEO mentioned.

Detection and Indicators of Compromise (IOCs):

CrowdStrike has offered a Falcon LogScale attach a question to to detect the described insist:

// Hunting query for indicators (CSA-240835) case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) } | table([cid, aid, #event_simpleName, ComputerName])

Key IOCs: