CrowdStrike has warned that an unknown threat actor is attempting to take advantage of a failed Falcon Sensor update to distribute a suspicious installer aimed at customers in Germany as part of a targeted campaign.
The cybersecurity firm said it identified a spear-phishing campaign of unknown origin on July 24, 2024, distributing fake CrowdStrike Crash Reporter installers through a website posing as an anonymous German company.
The fake website was allegedly created on July 20, the day after a botched update crashed around nine million Windows devices, causing widespread IT outages around the world.
“Once the user clicks on the download button, the website downloads and deobfuscates the installer using JavaScript (JS) disguised as JQuery v3.7.1,” CrowdStrike’s Counter Adversary Operations team said.
“The installer contains CrowdStrike branding and German localization and requires a password to continue installing the malware.”
Specifically, the spear-phishing page contained a download link to a ZIP archive file containing a malicious InnoSetup installer, and the malicious code delivering the executable was injected into a JavaScript file named “jquery-3.7.1.min.js” in an attempt to evade detection.
Users who launch the fake installer are prompted to enter a “backend server” to proceed, and CrowdStrike says it was unable to recover the final payload delivered via the installer.
This campaign is assessed as being highly targeted as the installer is password protected, requesting inputs likely only known to the targeted organization. Additionally, the use of German language suggests this activity is targeted at German speaking CrowdStrike customers.
“This actor appears to be highly conscious of operational security (OPSEC) practices, given their emphasis on anti-forensic techniques during this attack,” CrowdStrike said.
“For example, the attackers registered subdomains under the it(.)com domain to prevent historical analysis of domain registration details. Additionally, they prevented further analysis and attribution by encrypting the installer content and preventing further activity without a password.”
The move comes amid a wave of phishing attacks exploiting CrowdStrike’s update issues to spread stealing malware.
- The phishing domain crowdstrike-office365(.)com hosts a malicious archive file that contains a Microsoft Installer (MSI) loader that ultimately executes a popular information stealer called Lumma.
- A ZIP file (“CrowdStrike Falcon.zip”) containing a Python-based information stealer tracked as Connecio that collects system information, external IP addresses and data from various web browsers and exfiltrates it to an SMTP account listed in a dead drop URL on Pastebin.
CrowdStrike CEO George Kurtz said Thursday that 97% of Windows devices that were taken offline during the global IT outage are now up and running.
“CrowdStrike’s mission is to protect our customers’ operations and earn their trust. I deeply apologize for the disruption this outage caused and personally apologize to everyone affected,” Kurtz said. “While I can’t promise perfection, I can promise you that our response will be focused, effective, and acted with urgency.”
Previously, the company’s chief security officer, Sean Henry, apologized for “failing to protect good people from evil” and for “letting down the people we promised to protect.”
“The trust in your infusion that we have built over the years has been blown away in just a few hours,” Henry acknowledged. “We are committed to earning your trust again by providing you with the protection needed to thwart those who would target you. Despite this setback, the mission continues.”
Meanwhile, Bitsight said its analysis of traffic patterns of CrowdStrike machines in organisations around the world revealed two “interesting” data points that warrant further investigation.
“First, we saw a spike in traffic around 10pm on July 16th, followed by a clear and significant drop in outgoing traffic from organizations to CrowdStrike,” security researcher Pedro Umbellino said. “Second, since the early hours of the 19th, we saw a significant drop of 15% to 20% in the number of unique IPs and organizations connecting to CrowdStrike Falcon servers.”
“While we cannot speculate on the underlying causes of the change in traffic patterns on the 16th, it raises a fundamental question: is there any correlation between what we observed on the 16th and the outage on the 19th?”
