CrowdStrike spotted threat actors attempting to benefit from the recent IT outage caused by the faulty update of the cybersecurity firm to distribute Remcos RAT malware.
The threat actors attempted to distribute the Remcos RAT to the customers of the cybersecurity firm in Latin America under the guise of providing an emergency fix for the problem.
The attackers attempted to trick the company’s customers into opening a ZIP archive file named “crowdstrike-hotfix.zip.” The archive includes a loader named Hijack Loader used to execute the Remcos RAT.
HijackLoader, advertised as a private crypting service called ASMCrypt, is a modular, multi-stage loader designed to evade detection.
“CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip
. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos. Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers.” reads the report published by Kaspersky.
On July 19, 2024, a user from Mexico uploaded a ZIP file named crowdstrike-hotfix.zip to an online malware-scanning service. A file in the archive (“instrucciones.txt”), written in Spanish, pretends to provide recovery instructions for systems impacted by the faulty update. It directs recipients to run a Setup.exe file to initiate the bogus fix.
This is the first case of reported attacks that attempted to capitalize on the Crowdstrike incident.
Following the content update issue, threat actors also set up several typosquatting domains impersonating CrowdStrike. The domains were used to advertise services to companies affected by the issue in return for a cryptocurrency payment.
The cybersecurity firm recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and follows instructions including in the technical guidance the company support teams have provided.
The company also provided Indicators of Compromise (IOCs) for the campaign distributing the Remcos RAT malware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)