CrowdStrike Intelligence uncovered a targeted spearphishing campaign delivering an inauthentic CrowdStrike Crash Reporter installer via a German-entity impersonation site. The attack chain uses a JS downloader masquerading as JQuery, a password-protected InnoSetup installer, and timestomping/domain registration under it.com to hinder analysis. #CrowdStrike #CrashReporter #InnoSetup #FalconSensor #GermanEntity #it.com
Keypoints
- A spearphishing page impersonates a German entity and links to a ZIP lure containing a malicious InnoSetup installer.
- The JS downloader masquerades as JQuery v3.7.1 to fetch and deobfuscate the payload before execution.
- The inauthentic installer is password-protected and prompts for a “Backend-Server” password; incorrect input results in an error.
- The installer is composed of install_script.iss, csmon8.dat, and Java8Runtime.exe, with timestomping observed on several files.
<liOPSEC-focused techniques include domain registration under it.com and encryption/obfuscation to impede analysis and attribution.
<liMultiple IOCs are documented, including file hashes, filenames, URLs, and an IPv4 address linked to the spearphishing setup.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The spearphishing page heavily targeted a German entity and delivered an inauthentic CrowdStrike crash-reporting application. ‘The spearphishing page heavily targeted a German entity and delivered an inauthentic CrowdStrike crash-reporting application.’
- [T1566.002] Phishing: Spearphishing Link – The spearphishing link was likely sent to the German entity over email. ‘The spearphishing link was likely sent to the German entity over email.’
- [T1204.002] User Execution: Malicious File – The user is required to enter a password to decrypt the installer contents for the next stages. ‘The user is required to enter a password to decrypt the installer contents for the next stages.’
- [T1036] Masquerading – The infection chain masquerades as JQuery v3.7.1 and Java. ‘The infection chain masquerades as JQuery v3.7.1 and Java.’
- [T1140] Deobfuscate/Decode Files or Information – The JS on the spearphishing page deobfuscates the inauthentic CrowdStrike crash-reporting application. ‘The JS on the spearphishing page deobfuscates the inauthentic CrowdStrike crash-reporting application.’
Indicators of Compromise
- [File hash] 41143b2e4bbb9279ba0bbb375748530cc4887cc965967e5c0cc9a39dc44937d6 – ZIP lure file crowdstrike_crash_reporter_v1.1-R7.zip (context: ZIP lure, modified 2024-07-23)
- [File hash] a7516a15e1857996373191795c79244c8f5c8deb1f17ba5dbadeac28e18ec1c7 – Malicious InnoSetup installer executable CrowdStrike_Crash_Reporter_Setup_8.R3.exe (context: compiler timestamp; likely timestomped)
- [File hash] 80304da1e333ed581378797ad8b0b8d81a8ac5928b83423702f0de30f1616225 – Delphi executable CrowdStrike_Crash_Reporter_Setup_8.R3.tmp
- [URL] http://{German Entity}.it.com/crowdstrike/ – spearphishing URL (context: phishing page)
- [URL] http[:]//{German Entity}.it[.]com/crowdstrike/media/disabled.svg – obfuscated version used to fetch payload (context: JS downloader path)
- [Domain/IP] 4.180.4.19 – spearphishing domain IPv4 (context: domain used for hosting)
- [Filename] CrowdStrike_Crash_Reporter_Setup_8.R3.exe – InnoSetup initial installer (context: target filename)
- [Filename] Javacsmon8.dat – part of installer contents (context: localappdata path)