Hackers Exploit CrowdStrike Glitch to Distribute Remcos RAT

CrowdStrike, a leading cybersecurity firm, is facing backlash after a recent flawed update caused widespread IT disruptions. This update error has now led to cybercriminals exploiting the situation by distributing Remcos RAT malware under the guise of a hotfix.

The attack unfolds through a ZIP archive named “crowdstrike-hotfix.zip,” which contains a malware loader known as Hijack Loader (or DOILoader/IDAT Loader). This loader then activates the Remcos RAT payload. Notably, the ZIP file also includes a Spanish-language text file (“instrucciones.txt”) instructing recipients to run an executable file (“setup.exe”) to address the supposed issue.

CrowdStrike has indicated that the use of Spanish filenames and instructions suggests this campaign primarily targets customers in Latin America. The firm attributes this malicious activity to a suspected e-crime group.

On July 19, CrowdStrike’s Falcon platform for Windows devices experienced a significant setback when a routine sensor configuration update led to a logic error, causing a Blue Screen of Death (BSoD) and rendering many systems inoperable. This incident impacted customers using Falcon sensor for Windows version 7.11 and above, who were online between 04:09 and 05:27 UTC.

Cybercriminals have swiftly taken advantage of the chaos, creating typosquatting domains that impersonate CrowdStrike and offer services to affected businesses in exchange for cryptocurrency payments.

CrowdStrike advises affected customers to only communicate through official channels and follow the technical guidance provided by their support teams. Microsoft, which is collaborating with CrowdStrike on remediation, reported that the incident affected 8.5 million Windows devices globally, representing less than one percent of all Windows machines. Mac and Linux devices were not impacted by this outage.

This event highlights the risks associated with relying on monocultural supply chains and underscores the importance of safe deployment and disaster recovery practices. Microsoft has introduced a new recovery tool to help IT administrators repair the damaged Windows machines.

Additionally, CrowdStrike has launched a Remediation and Guidance Hub to provide comprehensive details and support for affected systems, including those encrypted with BitLocker. Reports have also emerged of similar update issues affecting Debian Linux servers and triggering kernel panics in Red Hat and Rocky Linux distributions.