Analysis Summary

The cybersecurity company CrowdStrike has warned that threat actors are taking advantage of the situation to spread Remcos RAT to its clients in Latin America under the pretense of offering a hotfix. CrowdStrike is currently under fire for causing global IT disruptions by pushing out a faulty update to Windows devices.

The attack chains entail the distribution of a ZIP archive file called "crowdstrike-hotfix.zip," which is the payload for the Remcos RAT malware loader Hijack Loader (also known as DOILoader or IDAT Loader). To be more precise, the archive file also contains a text file called "instrucciones.txt" that includes instructions in Spanish urging users to run an executable file called "setup.exe" to fix the problem.

The company reported, “Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers.”

The routine sensor configuration update that CrowdStrike pushed to its Falcon platform for Windows devices on July 19 unintentionally caused a logic error that led to a Blue Screen of Death (BSoD), which left many systems unusable and caused a business-wide panic. CrowdStrike acknowledged this on Friday. Customers using Falcon sensor for Windows version 7.11 and above who were online between 04:09 and 05:27 a.m. UTC were affected by the event.

Taking advantage of the confusion caused by the incident, threat actors have not wasted any time in establishing typosquatting domains that mimic CrowdStrike and promoting their services to businesses impacted by the problem in exchange for cryptocurrency payments. It is advised that affected customers follow the technical instructions offered by the CrowdStrike support teams and make sure they are corresponding with CrowdStrike representatives via official channels.

Impact

• Unauthorized Remote Access
• Exposure of Sensitive Data

Indicators of Compromise

IP

• 213.5.130.58

MD5

• 1e84736efce206dc973acbc16540d3e5
• 9d255e04106ba7dcbd0bcb549e9a5a4e
• 7daa2b7fe529b45101a399b5ebf0a416
• 84bc072f8ea30746f0982afbda3c638f
• 28f0ccf746f952f94ff434ca989b7814
• 21068dfd733435c866312d35b9432733
• 630991830afe0b969bd0995e697ab16e
• 849070ebd34cbaedc525599d6c3f8914
• da03ebd2a8448f53d1bd9e16fc903168

SHA-256

• c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
• 02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5
• 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
• 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
• 6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2
• 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
• b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
• b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
• d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

SHA-1

• fef212ec979f2fe2f48641160aadeb86b83f7b35
• a9becb85b181c37ee5a940e149754c1912a901f1
• fd73f3561d0cebe341a6c380681fb08841fa5ce6
• f39343933ff3fc7934814d6d3b7b098bc92540a0
• 506e85d2de6377492d90b98aa20663b0ff3ce32a
• 3d5336c676d3dd94500d0d2fe853b9de457f10fd
• feda243d83fba15b23d654513dc1f0d70787ba18
• b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
• 889b4f487d8bba6af6ff6eb7f5afd74957586c49

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.