Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon sensor affecting Windows operating systems. A fix was promptly deployed.

Threat actors are now actively exploiting this incident to target CrowdStrike customers through various malicious activities, such as Sending phishing emails posing as CrowdStrike support to customers impersonating CrowdStrike staff in phone calls and more.

However, threat actors have also exploited this event to distribute malicious files targeting Latin America-based (LATAM) CrowdStrike customer’s Windows systems.

A malicious ZIP archive named crowdstrike-hotfix.zip was uploaded to an online malware-scanning service by a Mexico-based submitter.

This archive contains a HijackLoader payload that, when executed, loads RemCos. The Spanish filenames and instructions within the ZIP archive suggest a targeted campaign against LATAM customers.

According to the Crowdstrike report, This campaign marks the first observed instance in which a threat actor has capitalized on the Falcon content issue to distribute malicious files targeting LATAM-based CrowdStrike customers.  

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Technical Breakdown:

The ZIP archive (SHA256: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2) contains instructions in Spanish, posing as a utility to fix the content update issue.

Users are prompted to run Setup.exe (SHA256: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9), which loads HijackLoader via DLL search-order hijacking.

HijackLoader is a modular loader designed to evade detection, and it uses a configuration file named maidenhair.cfg (SHA256: 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6) to execute the final RemCos payload.

The RemCos payload contacts a command-and-control (C2) server at 213.5.130[.]58[:]433.

CrowdStrike has also identified several typosquatting domains impersonating its brand. This incident marks the first observed instance of a threat actor leveraging the Falcon content issue to distribute malicious files.

crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com crowdstrikefix[.]zip crowdstrikereport[.]com

Organizations are advised to communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support teams.

“CrowdStrike has apologized for an outage caused by a defect in a Falcon content update affecting Windows hosts, while clarifying it was not a cyberattack. The issue has been resolved, and customer systems are being restored.” George Kurtz, CrowdStrike Founder and CEO said.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Detection and Indicators of Compromise (IOCs):

CrowdStrike has provided a Falcon LogScale query to detect the described activity:

// Hunting query for indicators (CSA-240835) case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) } | table([cid, aid, #event_simpleName, ComputerName])

Key IOCs: