CrowdStrike has issued a warning about a new phishing campaign aimed at German customers, exploiting the recent Falcon Sensor update mishap to distribute fake installers.
On July 24, 2024, CrowdStrike detected a sophisticated spear-phishing attempt distributing a counterfeit CrowdStrike Crash Reporter installer through a website impersonating a German organization. This fake site was created on July 20, shortly after a flawed update crashed nearly 9 million Windows devices, causing global IT disruptions.
According to CrowdStrike’s Counter Adversary Operations team, the website uses JavaScript disguised as JQuery v3.7.1 to download and deobfuscate the installer after users click the Download button. The installer features CrowdStrike branding, German language localization, and requires a password for installation.
The phishing page offers a ZIP file containing a malicious InnoSetup installer, with the malicious code hidden in a JavaScript file named “jquery-3.7.1.min.js” to avoid detection. Users who run the fake installer are prompted to enter a “Backend-Server” password. CrowdStrike has been unable to retrieve the final payload delivered by the installer.
This campaign is highly targeted, as the password-protected installer likely requires information known only to the intended victims. The use of the German language further indicates that the attack is aimed at German-speaking CrowdStrike customers.
CrowdStrike noted that the threat actor is well-versed in operational security (OPSEC) practices, employing anti-forensic techniques throughout the campaign. For instance, they registered a subdomain under the it[.]com domain to prevent historical analysis of domain registration details. Encrypting the installer contents and requiring a password for further activity hinder analysis and attribution.
This incident is part of a larger wave of phishing attacks exploiting the CrowdStrike update issue to spread malware such as stealers and wipers:
– A phishing domain, crowdstrike-office365[.]com, hosts rogue archive files with an MSI loader that ultimately executes the Lumma information stealer.
– A ZIP file (“CrowdStrike Falcon.zip“) contains a Python-based stealer called Connecio, which gathers system information, external IP addresses, and browser data, then exfiltrates them via SMTP accounts listed on a Pastebin dead-drop URL.
– The Handala Hacking Team is targeting Israeli entities with a phishing campaign that tricks recipients into downloading an “outage fix,” launching an installer that unpacks and executes an AutoIt script to deploy a data wiper and exfiltrate system information through Telegram’s API.
Researcher has identified at least 180 new counterfeit typosquat domains claiming to offer technical support, quick fixes, or legal assistance related to the incident, in attempts to introduce malware or steal sensitive information.
On Thursday, CrowdStrike CEO reported that 97% of the Windows devices affected by the global IT outage are now operational. He apologized for the disruption and emphasized CrowdStrike’s commitment to earning customer trust through focused and effective responses.
Chief Security Officer also apologized for the company’s failure to protect its clients, acknowledging the significant impact on customer confidence. Despite the setback, he reaffirmed CrowdStrike’s mission to deliver protection and disrupt adversaries.
To safeguard against phishing scams, individuals and organizations should remain vigilant when receiving unexpected emails or messages, especially those prompting downloads or sharing personal information. Verifying the authenticity of websites and emails before clicking on links or downloading attachments is crucial.