On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon sensor affecting Windows operating systems. A fix was promptly deployed.
Threat actors are now actively exploiting this incident to target CrowdStrike customers through various malicious activities, such as Sending phishing emails posing as CrowdStrike support to customers impersonating CrowdStrike staff in phone calls and more.
However, threat actors have also exploited this event to distribute malicious files targeting Latin America-based (LATAM) CrowdStrike customer’s Windows systems.
A malicious ZIP archive named crowdstrike-hotfix.zip was uploaded to an online malware-scanning service by a Mexico-based submitter.
This archive contains a HijackLoader payload that, when executed, loads RemCos. The Spanish filenames and instructions within the ZIP archive suggest a targeted campaign against LATAM customers.
According to the Crowdstrike report, This campaign marks the first observed instance in which a threat actor has capitalized on the Falcon content issue to distribute malicious files targeting LATAM-based CrowdStrike customers.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Technical Breakdown:
The ZIP archive (SHA256: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2) contains instructions in Spanish, posing as a utility to fix the content update issue.
Users are prompted to run Setup.exe (SHA256: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9), which loads HijackLoader via DLL search-order hijacking.
HijackLoader is a modular loader designed to evade detection, and it uses a configuration file named maidenhair.cfg (SHA256: 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6) to execute the final RemCos payload.
The RemCos payload contacts a command-and-control (C2) server at 213.5.130[.]58[:]433.
CrowdStrike has also identified several typosquatting domains impersonating its brand. This incident marks the first observed instance of a threat actor leveraging the Falcon content issue to distribute malicious files.
crowdstrike.phpartners[.]org
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]comOrganizations are advised to communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support teams.
“CrowdStrike has apologized for an outage caused by a defect in a Falcon content update affecting Windows hosts, while clarifying it was not a cyberattack. The issue has been resolved, and customer systems are being restored.” George Kurtz, CrowdStrike Founder and CEO said.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Detection and Indicators of Compromise (IOCs):
CrowdStrike has provided a Falcon LogScale query to detect the described activity:
// Hunting query for indicators (CSA-240835)
case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) } | table([cid, aid, #event_simpleName, ComputerName])Key IOCs:
| File Name | SHA256 Hash |
|---|---|
| crowdstrike-hotfix.zip | c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2 |
| Setup.exe | 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9 |
| madBasic_.bpl | d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea |
| maidenhair.cfg | 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6 |
| RemCos Payload | 48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184 |
| RemCos C2 Address | 213.5.130[.]58[:]443 |