Cybersecurity firm CrowdStrike, which has faced allegations of wrongdoing IT disruptions worldwide releasing a flawed update for Windows devices, is now warning that threat actors are exploiting the situation to distribute the Remcos RAT to their customers in Latin America under the guise of providing a fix.
Attack chains include distribution of a ZIP archive file named “crowdstrike-hotfix.zip”, which contains a malware downloader named Hijack bootloader (aka DOILoader or IDAT Loader) which in turn launches the Remcos RAT payload.
Specifically, the archive file also includes a text file (“instrucciones.txt”) with instructions in Spanish that tells the target to run an executable file (“setup.exe”) to repair the problem.
“Notably, the Spanish file names and instructions in the ZIP archive indicate that this campaign is likely targeting CrowdStrike’s Latin American (LATAM) customers,” the company saidattributing the company to a suspected cybercriminal group.
On Friday, CrowdStrike acknowledged that a routine sensor configuration update launched on the Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a blue screen of death (BSoD), disabling numerous systems and sending the business into a tailspin. .
The event affected Falcon sensor clients for Windows version 7.11 and higher that were online between 04:09 and 05:27 UTC.
Attackers wasted no time in capitalizing on the chaos created by the event to create typosquatting domains that mimic CrowdStrike and advertise services to companies affected by the issue in exchange for payment in cryptocurrency.
Affected customers are advised to “ensure they communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support.”