Exploiting a CrowdStrike Update Mishap, Hacker Groups Spread Remcos RAT Malware.
Exploiting a CrowdStrike Update Mishap, Hacker Groups Spread Remcos RAT Malware.
CrowdStrike, a cybersecurity company that is currently facing criticism for causing widespread disruptions in IT systems by distributing a flawed update to Windows devices, is now warning that threat actors are taking advantage of the situation in order to deliver the Remcos RAT to its customers in Latin America under the guise of providing a hotfix.
The attack chains involve the distribution of a ZIP archive file with the name “crowdstrike-hotfix.zip.” This file contains a malware loader known as Hijack Loader (also known as DOILoader or IDAT Loader), which then runs the Remcos RAT payload.
To be more specific, the archive file also contains a text file called “instrucciones.txt” that contains instructions written in Spanish. These instructions urge targets to run an executable file called “setup.exe” in order to recover from the problem.
“Notably, Spanish filenames and instructions within the ZIP archive indicate that this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers,” the company claimed, attributing the campaign to a suspected e-crime gang. “This campaign is likely targeting customers who are not located in the United States.”
It was acknowledged by CrowdStrike on Friday that a routine sensor configuration update that was uploaded to its Falcon platform for Windows devices on July 19 at 04:09 UTC unintentionally caused a logic error that resulted in a Blue Screen of Death (BSOD). This error rendered a large number of systems inoperable and sent businesses into a tailspin.
Customers who were online between 04:09 and 05:27 a.m. UTC and were operating Falcon sensors for Windows version 7.11 or higher were affected by the occurrence.
A number of malicious actors have wasted no time in capitalizing on the confusion that was caused by the event. They have established typosquatting domains that impersonate CrowdStrike and have advertised their services to businesses that have been impacted by the issue in exchange for a payment in cryptocurrencies.
Also Read : CrowdStrike CEO issued an Apology for the Microsoft Windows Global Outage | Detailed Fix
It is recommended that customers who are affected by this issue “ensure that they are communicating with CrowdStrike representatives through official channels and adhere to the technical guidance that the CrowdStrike support teams have provided.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.