CrowdStrike warns about an unknown threat actor trying to take advantage Falcon Sensor update fiasco distribute dubious installers targeting German customers in a highly targeted campaign.
The cybersecurity firm said it identified an unattributed phishing attempt on July 24, 2024 that distributed a bogus CrowdStrike Crash Reporter installer via a website posing as an unnamed German organization.
The impostor site is said to have been created on July 20, a day after update failed disabled nearly 9 million Windows devices, causing major IT disruptions around the world.
“After the user clicks the Download button, the website uses JavaScript (JS) masquerading as JQuery v3.7.1 to download and deobfuscate the installer,” CrowdStrike’s anti-adversary team said. said.
“The installer contains CrowdStrike branding, a German localization, and a password (required) to continue installing the malware.”
Specifically, the phishing page contained a link to download a ZIP archive containing the InnoSetup malware, with the malicious code serving the executable injected into a JavaScript file named “jquery-3.7.1.min.js” in an apparent attempt to to avoid detection.
Users who end up running the fake installer are prompted to log in to the “Backend Server” to continue. CrowdStrike said it was unable to recover the final payload deployed via the installer.
The campaign is rated as highly targeted due to the fact that the installer is password protected and requires input that is likely only known to the targeted entity. In addition, the presence of German indicates that the activity is aimed at CrowdStrike’s German-speaking customers.
“The threat actor appears to be well-versed in operations security (OPSEC) practices, as they focused on anti-forensic techniques during this campaign,” CrowdStrike said.
“For example, a participant registered a subdomain under the it(.)com domain, which prevents historical analysis of domain registration details. Additionally, encrypting the contents of the installer and preventing further actions without a password precludes further analysis and attribution.”
The development comes amid a wave of phishing attacks exploiting the CrowdStrike update issue to spread malware-stealing –
- Phishing domain crowdstrike-office365(.)com which owners fake archive files containing a Microsoft Installer (MSI) loader that eventually launches a product information hijacker named Lamma.
- ZIP file (“CrowdStrike Falcon.zip”) containing a Python-based information stealer tracked as Canesio which collects system information, external IP address and data from various web browsers and transfers it to the SMTP accounts listed on the Pastebin dead spot URL.
CrowdStrike CEO George Kurtz said Thursday that 97% of Windows devices that went offline during the global IT outage are now operational.
“Our mission at CrowdStrike is to earn your trust by protecting your business. I am very sorry for the disruption caused by this outage, and I personally apologize to everyone affected.” — Kurtz said. “While I can’t promise perfection, I can promise that the response will be focused, effective and with a sense of urgency.”
The company’s chief security officer, Sean Henry, previously apologized for failing to “protect good people from bad things” and that it “let down the very people we are committed to protecting.”
“The confidence we built up over the years in drippers was lost in buckets in a matter of hours, and it was a shock,” Henry said. admitted. “We’re committed to earning your trust again by providing the protection you need to thwart adversaries who target you. Despite this setback, the mission will endure.”
Meanwhile, Bitsight’s analysis of traffic patterns exhibited by CrowdStrike machines at organizations around the world revealed two “interesting” data points that it said warrant further investigation.
“First, there was a huge spike in traffic around 10:00 p.m. on July 16, followed by a clear and significant drop in outbound traffic from organizations to CrowdStrike,” security researcher Pedro Umbelino said. said. “Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to the CrowdStrike Falcon servers after dawn on the 19th.”
“While we cannot conclude what is the root cause of the change in traffic patterns on the 16th, it does warrant a fundamental question: ‘Is there a correlation between the sightings on the 16th and the outage on the 19th?’ “
