Pierluigi Paganini July 29, 2024

CrowdStrike warns about a new threat actor targeting German customers by exploiting a recent issue with Falcon Sensor updates.

On July 24, 2024, CrowdStrike experts identified a spear-phishing campaign targeting German customers by exploiting the recent issue with Falcon Sensor updates.

A previously unknown threat actor set up a fake website, resembling a German entity, to distribute a bogus CrowdStrike Crash Reporter installer. The website was registered on July 20, 2024, shortly after CrowdStrike reported the problem with the Falcon sensor update. The site was used to deploy JavaScript disguised as JQuery to download and deobfuscate the installer. The installer featured CrowdStrike branding, German language localization, and required a password to install malware.

“The threat actor leveraged a spearphishing page hosted on a URL with the format http[:]//{German Entity}.it[.]com/crowdstrike/. This spearphishing page presented the targeted victim with a download link to a ZIP file containing a malicious InnoSetup installer.” reported the CrowdStrike’s Counter Adversary Operations team. “The website it[.]com is a legitimate domain registrar, and the threat actor likely created the spearphishing page after the Falcon sensor update was deployed.”

The spear-phishing page includes the brands of the targeted company and CrowdStrike. The page was crafted to trick the recipient into downloading the fake CrowdStrike Crash Reporter.

The spear-phishing page included a download link pointing to a ZIP archive file that contained a malicious InnoSetup installer. The installer injected the executable into a JavaScript file named “jquery-3.7.1.min.js” to evade detection.

Upon executing the installer, the customers are prompted to enter a “Backend-Server” to complete the set up.

Failure to provide the specific input displays the error message “A connection error has occurred” (in German language), preventing the installation from being completed. However, the experts noticed that the installer did not check for connectivity.

CrowdStrike reported that an InnoSetup installer was password-protected and contained a script (install_script.iss) and two files (csmon8.dat and Java8Runtime.exe). While the final payload has not been recovered, metadata from these files has been obtained.

The InnoSetup Installer had a file creation timestamp of July 12, 2024, which is close to the date of the sensor content update (July 19, 2024). This alignment suggests that the threat actor may have used timestomping, an anti-forensic technique to alter file timestamps, to obscure the creation dates and evade detection.

CrowdStrike believes that the campaign is highly targeted. The attack involves a fake installer that requires the user to enter a specific password, suggesting that only targeted individuals with prior knowledge would be able to proceed.

“The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign. For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details.” concludes the report. “Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)