CrowdStrike Intelligence identified a targeted spearphishing campaign delivering a fake CrowdStrike Crash Reporter installer via a German-entity impersonation, exploiting a Falcon sensor vulnerability. The operation used JavaScript obfuscation, a password gate, and anti-forensic techniques like timestomping to hinder analysis. #CrowdStrike #FalconSensor
Keypoints
- The spearphishing page was hosted on a domain registered shortly after a CrowdStrike Falcon sensor update, indicating targeted timing.
- The malicious installer masqueraded as legitimate software and required a specific password, suggesting a high level of operational security by the threat actor.
- JavaScript was used to download and deobfuscate the installer, which contained CrowdStrike branding and German localization.
- The attack utilized anti-forensic techniques, such as timestomping, to obscure the true nature of the malicious files.
- Recommendations include only accepting updates from official sources and training users to avoid executing files from untrusted origins.
- The actor appears highly OPSEC-conscious, including subdomain registration under a registrar to complicate attribution.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The spearphishing page heavily targeted a German entity and delivered an inauthentic CrowdStrike crash-reporting application. ‘The spearphishing page heavily targeted a German entity and delivered an inauthentic CrowdStrike crash-reporting application’
- [T1566.002] Phishing: Spearphishing Link – The spearphishing link was likely sent to the German entity over email. ‘The spearphishing link was likely sent to the German entity over email’
- [T1204.002] User Execution: Malicious File – The user is required to enter a password to decrypt the installer contents for the next stages. ‘The user is required to enter a password to decrypt the installer contents for the next stages’
- [T1036] Masquerading – The infection chain masquerades as JQuery v3.7.1 and Java. ‘The infection chain masquerades as JQuery v3.7.1 and Java’
- [T1140] Deobfuscate/Decode Files or Information – The JS on the spearphishing page deobfuscates the inauthentic CrowdStrike crash-reporting application. ‘The JS on the spearphishing page deobfuscates the inauthentic CrowdStrike crash-reporting application’
Indicators of Compromise
- [File Hash] context – 41143b2e4bbb9279ba0bbb375748530cc4887cc965967e5c0cc9a39dc44937d6, a7516a15e1857996373191795c79244c8f5c8deb1f17ba5dbadeac28e18ec1c7, and 2 more hashes
- [Filename] context – CrowdStrike_Crash_Reporter_Setup_8.R3.exe, CrowdStrike_Crash_Reporter_Setup_8.R3.tmp, and 2 more filenames
- [URL] context – http://{German Entity}.it.com/crowdstrike/, http://{German Entity}.it.com/crowdstrike/media/disabled.svg
- [IP Address] context – 4.180.4.19
- [File Hash] context – 99bb0f05fd135218a5c4b8cac42e58274086b543d001d7227c8f6a2b7722f425
- [Filename] context – Java8Runtime.exe, Javacsmon8.dat, install_script.iss (and 1 more file)
Read more: https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-spearphishing