Analysis Summary

A new threat actor is trying to take advantage of the Falcon Sensor update debacle, according to CrowdStrike, by distributing suspicious installers to German clients as part of a highly focused operation.

The cybersecurity firm reported that on July 24, 2024, it discovered what it called an unattributed spear-phishing attempt that disseminated a fake CrowdStrike Crash Reporter installer through a website pretending to be an unidentified German organization. On July 20, a day after the botched update crashed around 9 million Windows devices and caused significant global IT disruptions, the phony website is purported to have been built.

The website uses JavaScript (JS), which poses as JQuery v3.7.1, to download and deobfuscate the installer when the user clicks the Download button. The installer requires a password to proceed with the malware installation, and it features German localization and CrowdStrike branding. In particular, the spear-phishing page included a download link for a ZIP archive file that contained a malicious InnoSetup installer. Seemingly to avoid detection, the malicious code served the executable by being injected into a JavaScript file called "jquery-3.7.1.min.js".

After starting the fake installer, users are then required to enter a "Backend-Server" to continue. According to CrowdStrike, the installer's final payload could not be recovered. Because the installer is password-protected and requires information that is probably only known to the targeted entities, the campaign is deemed to be highly targeted. Moreover, the use of German implies that the activity is intended for CrowdStrike users who speak the language.

The threat actor has concentrated on anti-forensic tactics during this campaign, suggesting that they are well-versed in operations security (OPSEC) procedures. To prevent historical investigation of the domain-registration records, the actor, for instance, established a subdomain under the it[.]com domain. Further analysis and attribution are also prevented by encrypting the installer's data and preventing access without a password.

This occurs amid a surge of phishing attempts that use the CrowdStrike update problem to spread stealth malware, such as the Microsoft Installer (MSI) loader found in malicious archive files hosted by the phishing domain crowdstrike-office365[.]com eventually launches the Lumma commodities information stealer and a file named "CrowdStrike Falcon.zip" contains a Python-based information stealer known as Connecio, which is tracked and gathers data, system information, and external IP addresses from different web browsers before exfiltrating it to SMTP accounts that are mentioned on a dead-drop URL on Pastebin.

George Kurtz, the CEO of CrowdStrike, announced on Thursday that 97% of the Windows machines that were offline during the worldwide IT outage are now back online. Shawn Henry, the business's chief security officer, has expressed regret for not doing enough to shield people from evil and said that this let down the same individuals that the organization promised to defend.

Impact

• Information Theft
• Unauthorized Access

Indicators of Compromise

MD5

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.