Threat Research

Threat Actors are Exploiting the Recent CrowdStrike Outage in an Effort to Deploy Malware and to Stage eCrime Operations

Securonix

Threat actors have exploited the CrowdStrike outage to launch ecrime campaigns, phishing attacks, and malware deployments. The report highlights phishing, malicious domains, and a hijack-loading chain (HijackLoader with Remcos) being used in campaigns affecting LATAM-focused targets. #CrowdStrikeOutage #HijackLoader #Remcos #LATAM #CrowdStrikeFalcon

Keypoints

  • Threat actors are leveraging the CrowdStrike outage to ramp up ecrime operations, including phishing, scam websites, and malware delivery.
  • Phishing remains the top attack vector, with IT support scams routinely used to pressure victims into action.
  • Attackers registered malicious domains to facilitate phishing campaigns, scam sites, and malware hosting.
  • HijackLoader uses DLL search-order hijacking to load and execute prebuilt malware (Remcos) from within a proxy file chain.
  • Remcos is deployed as the primary payload, with C2 communications noted to a remote server (e.g., 213.5.130.58:433).
  • ZIP delivery schemes mimic legitimate updates or hotfixes to lure users into executing malware via Setup.exe.

MITRE Techniques

  • [T1566.001] Phishing – “phishing emails are the number one attack vector that threat actors use in an attempt to compromise systems.” – Phishing remains the primary delivery method for initial access.
  • [T1583.001] Acquire Infrastructure – Domain registration – “malicious threat actors swiftly began registering deceptive domains to deploy phishing emails, create scam websites, and host malware.” – Adversaries use registered domains to host fraud and malware delivery.
  • [T1071.001] Web Protocols – Remcos beacon to C2 – “beacon out to a C2 server at 213.5.130[.]58[:]433.” – C2 communications for the Remcos payload.
  • [T1574.001] Hijack Execution Flow – DLL search-order hijacking – “will load and execute the HijackLoader’s initial attack chain from within the madBasic_.bpl file via DLL search-order hijacking.” – Abuse of DLL search order to run malicious code.

Indicators of Compromise

  • [Domain] – CrowdStrike-related malicious domains – crowdstrike0day.com, crowdstrikeoutage.info, and other domains
  • [IP] – Network addresses associated with C2 and hosting – 52.219.116.113, 185.199.110.153, and many others
  • [File Hash] – Files used in the malware chain – Crowds trike-hotfix.zip: C44506FE6E1EDE5A104008755ABF5B6ACE51F1A84AD656A2DCCC7F2C39C0ECA2; maidenhair.cfg: 931308CFE733376E19D6CD2401E27F8B2945CEC0B9C696AEBE7029EA76D45BF6
  • [File Name] – Files referenced in the malware chain – Crowdstrike-hotfix.zip, Setup.exe

Read more: https://www.securonix.com/blog/threat-actors-are-exploiting-the-recent-crowdstrike-outage-in-an-effort-to-deploy-malware-and-to-stage-ecrime-operations/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint