A July 2024 CrowdStrike outage created an opportunity for attackers to push phishing and malware campaigns disguised as updates or hotfixes. Analysis by ANY.RUN highlights fake domains impersonating CrowdStrike and malware such as Remcos and HijackLoader used in these campaigns. #CrowdStrikeOutage #Remcos
Keypoints
- The CrowdStrike outage on July 18, 2024 caused widespread BSODs, creating disruption and user confusion.
- Cybercriminals leveraged phishing and malware masquerading as updates or hotfixes during the outage window.
- ANY.RUN identified two primary threat sources: newly created fake domains and malware updates/bundles posing as CrowdStrike fixes.
- On day one after the outage, attackers rapidly registered or repurposed fake domains to lure victims into visiting malicious sites.
- A malicious archive named crowdstrike-hotfix delivered Remcos to infected systems, with the dropper sourced from portalintranetgrupobbva[.]com.
- Other campaigns used phishing emails with CrowdStrike-themed PDFs that prompted users to download ZIPs, and harm-focused documents using VBS to trigger further tools, including data wipers and stealer malware.
- Security teams are advised to verify updates, follow CrowdStrike guidance, and use TI Lookup to search for related IOCs and suspicious domains.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Attachment – The CrowdStrike-themed phishing email and PDF attachment, which, in turn, included a link to downloading a ZIP file. ‘The CrowdStrike-themed phishing email and PDF attachment, which, in turn, included a link to downloading a ZIP file.’
- [T1036] Masquerading – Campaigns spreading malware as updates or bug fixes. ‘rise in campaigns spreading malware as updates or bug fixes.’
- [T1059.005] Visual Basic – The harmful document uses a bad VBS (Visual Basic Script) to start a series of tools on the infected computer. ‘the harmful document uses a bad VBS (Visual Basic Script) to start a series of tools on the infected computer.’
- [T1105] Ingress Tool Transfer – The malicious archive delivered Remcos to the infected system after execution. ‘After execution, it delivered Remcos to the infected system.’
- [T1583] Acquire Infrastructure – Domains created to impersonate CrowdStrike’s official domain used for phishing. ‘creation of websites with domain names that mimicked CrowdStrike’s official domain.’
- [T1485] Data Destruction – The data wiper overwrote files and disrupted the system. ‘the wiper devastated the system by overwriting files with zero bytes.’
Indicators of Compromise
- [Domain] Portalintranetgrupobbva[.]com – used to host malicious content and deliver the Remcos payload. Portalintranetgrupobbva[.]com
- [Domain] crowdstrike-bsod[.]co and crowdstrike-bsod[.]com – fake domains impersonating CrowdStrike
- [Domain] crowdstrike-helpdesk[.]com – fake domain used in impersonation
- [URL] hxxps://link.storjshare[.]io/s/jwyite7mez2ilyvm2esxw2jq3apq/crowdstrikeisrael/update.zip?download=1 – malicious update URL
- [URL] hxxps://link.storjshare[.]io/s/…/crowdstrikeisrael/update.zip?download=1 (same activity, shortened for readability)
- [IP] 213.5.130.58:443 – remote endpoint referenced in the malicious activity
- [URL] hxxps://portalintranetgrupobbva[.]com/ – domain hosting the malicious archive
- [File] crowdstrike-hotfix.zip – hash c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
- [File] Setup.exe – hash 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9
- [File] CrowdStrike.exe – hash 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
- [URL] hxxp[://]172.104.160[.]126:8099/payload2[.]txt – payload delivery URL
- [File] New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm – hash 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
- [Hash] 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a – stealer-related hash
- [URL] hxxp://172.104.160.126:8099/payload2.txt – stealer payload URL
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/crowdstrike-outage-abuse/