Threat Research

Likely eCrime Actor Capitalizing on Falcon Sensor Issues | CrowdStrike

Securonix

CrowdStrike disclosed a Windows Falcon sensor issue fixed on July 19, 2024, after which threat actors leveraged the event to push a malicious ZIP named crowdstrike-hotfix.zip. The archive delivers HijackLoader to load RemCos, with the campaign likely targeting LATAM CrowdStrike customers. #HijackLoader #RemCos

Keypoints

  • The Falcon content update issue on July 19, 2024 was identified and patched by CrowdStrike.
  • Threat actors distributed a malicious crowdstrike-hotfix.zip containing HijackLoader to deploy RemCos on targeted systems.
  • The ZIP and related files include Spanish-language instructions, suggesting LATAM targets among CrowdStrike customers.
  • HijackLoader uses DLL search-order hijacking to execute first-stage code inside madBasic_.bpl before loading the RemCos payload.
  • RemCos connects to a C2 server at 213.5.130.58 on a specified port, enabling remote control from the attacker infrastructure.
  • Post-incident activity included typosquatting domains impersonating CrowdStrike, marking the first observed exploitation of the Falcon issue against LATAM customers.
  • CrowdStrike provides specific recommendations, including official-channel communications, Falcon LogScale queries, and IOC-focused detection guidance.

MITRE Techniques

  • [T1574.001] DLL Search Order Hijacking – Setup.exe loads the HijackLoader first-stage inside madBasic_.bpl via DLL search-order hijacking. ‘Setup.exe will load and execute the HijackLoader first-stage inside madBasic_.bpl … via DLL search-order hijacking.’
  • [T1071.001] Web Protocols – RemCos payload contacts the command-and-control (C2) server at 213.5.130[.]58[:]433. ‘RemCos payload, which contacts the command-and-control (C2) server at 213.5.130[.]58[:]433.’

Indicators of Compromise

  • [File name] context – Crowdstrike-hotfix.zip, Setup.exe, and other related components (e.g., instrucciones.txt, maidenhair.cfg)
  • [SHA256 Hash] context – crowdstrike-hotfix.zip: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2, Setup.exe: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9
  • [IP address] context – 213.5.130.58, 213.5.130.58:433
  • [Domain] context – typosquatting domains impersonating CrowdStrike (observed post-incident)

Read more: https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint