Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon sensor affecting Windows operating systems. A fix was promptly deployed.

Threat actors are now actively exploiting this incident to target CrowdStrike customers through various malicious activities, such as Sending phishing emails posing as CrowdStrike support to customers impersonating CrowdStrike staff in phone calls and more.

However, threat actors have also exploited this event to distribute malicious files targeting Latin America-based (LATAM) CrowdStrike customer’s Windows systems.

A malicious ZIP archive named crowdstrike-hotfix.zip was uploaded to an online malware-scanning service by a Mexico-based submitter.

This archive contains a HijackLoader payload that, when executed, loads RemCos. The Spanish filenames and instructions within the ZIP archive suggest a targeted campaign against LATAM customers.

According to the Crowdstrike report, This campaign marks the first observed instance in which a threat actor has capitalized on the Falcon content issue to distribute malicious files targeting LATAM-based CrowdStrike customers.  

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Technical Breakdown:

The ZIP archive (SHA256: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2) contains instructions in Spanish, posing as a utility to fix the content update issue.

Users are prompted to run Setup.exe (SHA256: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9), which loads HijackLoader via DLL search-order hijacking.

HijackLoader is a modular loader designed to evade detection, and it uses a configuration file named maidenhair.cfg (SHA256: 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6) to execute the final RemCos payload.

The RemCos payload contacts a command-and-control (C2) server at 213.5.130[.]58[:]433.

CrowdStrike has also identified several typosquatting domains impersonating its brand. This incident marks the first observed instance of a threat actor leveraging the Falcon content issue to distribute malicious files.

crowdstrike.phpartners[.]org
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com

Organizations are advised to communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support teams.

“CrowdStrike has apologized for an outage caused by a defect in a Falcon content update affecting Windows hosts, while clarifying it was not a cyberattack. The issue has been resolved, and customer systems are being restored.” George Kurtz, CrowdStrike Founder and CEO said.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Detection and Indicators of Compromise (IOCs):

CrowdStrike has provided a Falcon LogScale query to detect the described activity:

// Hunting query for indicators (CSA-240835)
case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) } | table([cid, aid, #event_simpleName, ComputerName])

Key IOCs:

File Name SHA256 Hash
crowdstrike-hotfix.zip c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
Setup.exe 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9
madBasic_.bpl d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea
maidenhair.cfg 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6
RemCos Payload 48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184
RemCos C2 Address 213.5.130[.]58[:]443

The post Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware appeared first on Cyber Security News.