CYFIRMA’s analysis centers on a global BSOD incident triggered by a CrowdStrike Falcon Sensor update, with cybercriminals quickly abusing the chaos through phishing campaigns and malicious domains. The report flags Remcos RAT, Data Wiper malware, and other commodity malware as the actors’ tools and provides mitigations including Yara and Suricata-based detections. #RemcosRAT #DataWiper #CrowdStrikeBSOD #CYFIRMA
Keypoints
- The CrowdStrike update caused widespread BSOD incidents on Windows machines globally, which adversaries exploited via phishing campaigns and malicious domains.
- CYFIRMA identifies multiple malware families used in these campaigns, notably Remcos RAT, Data Wiper malware, and other commodity malware.
- Remcos RAT is described as a sophisticated backdoor with obfuscation/anti-debugging features and active development against detection.
- Malicious domains and IOCs were collected and analyzed, showing a mix of domains that deliver malware, host phishing pages, or serve as infrastructure for C2/hosting.
- A notable malware delivery chain involves a malicious ZIP (crowdstrike-hotfix.zip) containing HijackLoader and Remcos payloads, with Setup.exe prompting user execution.
- CYFIRMA maps observed behaviors to MITRE ATT&CK techniques across execution, persistence, defense evasion, discovery, collection, exfiltration, and C2.
- Recommendations focus on rigorous software testing, threat detection (Yara/Suricata), and proactive monitoring to mitigate similar campaigns.
MITRE Techniques
- [T1204.002] User Execution – The malicious ZIP prompts the user to run a file to patch the issue. “These instructions prompt users to run ‘Setup.exe’ to patch the issue.”
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – HijackLoader loads via DLL search-order hijacking: “first stage of HijackLoader within ‘madBasic_.bpl’ through DLL search-order hijacking.”
- [T1055] Process Injection – The campaign includes “Champion.pif” spawns “RegAsm.exe” and performs process injection.
- [T1140] Deobfuscate/Decode Files or Information – The batch script “Caroll.cmd” is obfuscated and later de-obfuscated.
- [T1040.004] File Deletion – The data-wiping functionality is implemented to erase data on the victim host. “The dumped file ‘Champion.pif’ is Autoit3.exe … spawns ‘RegAsm.exe’ and perform process injection.”
- [T1057] Process Discovery – The analysis notes the use of Tasklist to see if antivirus is running, enabling stealthy execution.
- [T1083] File and Directory Discovery – In context of discovering targeted files and artifacts during the operation.
- [T1071.001] Application Layer Protocol: Web protocols – The malware uses web-based channels for C2, e.g., “URL: hxxps[:]//icanhazip[.]com” used in the C2 context.
- [T1041] Exfiltration Over Command-and-Control Channel – Exfiltration occurs over the C2 channel as part of the operation.
Indicators of Compromise
- [MD5 Hash] context – example1, example2, and other 13 hashes (e.g., 1e84736efce206dc973acbc16540d3e5, 7daa2b7fe529b45101a399b5ebf0a416)
- [URL] context – example1, example2, and other URLs (e.g., hxxps[:]//icanhazip[.]com used for C2)
- [Domain] context – crashstrike[.]com, crowdstrikeoutage[.]info, clownstrike[.]co[.]uk, crowdstrikefix[.]com, and 2 more domains
- [IP Address] context – 185.199.108.153, 80.78.22.84, and other related infrastructure