Threat actors have exploited the CrowdStrike outage to launch ecrime campaigns, phishing attacks, and malware deployments. The report highlights phishing, malicious domains, and a hijack-loading chain (HijackLoader with Remcos) being used in campaigns affecting LATAM-focused targets. #CrowdStrikeOutage #HijackLoader #Remcos #LATAM #CrowdStrikeFalcon
Keypoints
- Threat actors are leveraging the CrowdStrike outage to ramp up ecrime operations, including phishing, scam websites, and malware delivery.
- Phishing remains the top attack vector, with IT support scams routinely used to pressure victims into action.
- Attackers registered malicious domains to facilitate phishing campaigns, scam sites, and malware hosting.
- HijackLoader uses DLL search-order hijacking to load and execute prebuilt malware (Remcos) from within a proxy file chain.
- Remcos is deployed as the primary payload, with C2 communications noted to a remote server (e.g., 213.5.130.58:433).
- ZIP delivery schemes mimic legitimate updates or hotfixes to lure users into executing malware via Setup.exe.
MITRE Techniques
- [T1566.001] Phishing – “phishing emails are the number one attack vector that threat actors use in an attempt to compromise systems.” – Phishing remains the primary delivery method for initial access.
- [T1583.001] Acquire Infrastructure – Domain registration – “malicious threat actors swiftly began registering deceptive domains to deploy phishing emails, create scam websites, and host malware.” – Adversaries use registered domains to host fraud and malware delivery.
- [T1071.001] Web Protocols – Remcos beacon to C2 – “beacon out to a C2 server at 213.5.130[.]58[:]433.” – C2 communications for the Remcos payload.
- [T1574.001] Hijack Execution Flow – DLL search-order hijacking – “will load and execute the HijackLoader’s initial attack chain from within the madBasic_.bpl file via DLL search-order hijacking.” – Abuse of DLL search order to run malicious code.
Indicators of Compromise
- [Domain] – CrowdStrike-related malicious domains – crowdstrike0day.com, crowdstrikeoutage.info, and other domains
- [IP] – Network addresses associated with C2 and hosting – 52.219.116.113, 185.199.110.153, and many others
- [File Hash] – Files used in the malware chain – Crowds trike-hotfix.zip: C44506FE6E1EDE5A104008755ABF5B6ACE51F1A84AD656A2DCCC7F2C39C0ECA2; maidenhair.cfg: 931308CFE733376E19D6CD2401E27F8B2945CEC0B9C696AEBE7029EA76D45BF6
- [File Name] – Files referenced in the malware chain – Crowdstrike-hotfix.zip, Setup.exe