Awareness Raised by CrowdStrike Regarding Fresh Phishing Scheme Aimed at German Clients

Jul 26, 2024Mohit KumarEnterprise Security / Network Security

CrowdStrike has issued a warning about an unknown threat actor trying to exploit the recent Falcon Sensor update debacle to circulate suspicious installers targeting German customers as part of a meticulously aimed initiative.

According to the cyber defense firm, an unattributed spear-phishing incident was detected on July 24, 2024, involving the dissemination of a counterfeit CrowdStrike Crash Reporter installer via a website impersonating an unidentified German organization.

The fraudulent website was reportedly set up on July 20, following the system failure that impacted nearly 9 million Windows gadgets due to a failed update, leading to significant disruptions in IT services worldwide.

“Upon clicking the Download button, the website deploys JavaScript (JS) code disguised as JQuery v3.7.1 to download and decode the installer,” indicated CrowdStrike’s Counter Adversary Operations squad stated.

“The installer showcases the CrowdStrike logo, German language support, and demands a password prior to proceeding with the malware installation.”

More specifically, the spear-phishing webpage provided a link for downloading a ZIP archive file containing a malicious InnoSetup installer, with the malevolent code embedded in an executable within a JavaScript file labeled “jquery-3.7.1.min.js”, likely to avoid detection.

Users who execute the fraudulent installer are prompted to insert a “Backend-Server” for further progression. CrowdStrike mentioned their inability to retrieve the final payload delivered through the installer.

The campaign is believed to be highly focused as the installer is safeguarded by a password and necessitates an input possibly only known to the targeted entities. Additionally, the presence of German language indicates that the scheme is tailored for German-speaking CrowdStrike clients.

“The threat actor seems to be well-versed in operational security (OPSEC) measures, as they have emphasized anti-forensic techniques in this campaign,” stated CrowdStrike.

“For instance, the actor registered a subdomain under the it[.]com domain, thwarting historical scrutiny of the domain registration details. Additionally, encrypting the installer content and restricting further actions without a password hinders additional analysis and tracing.”

This development occurs amidst a surge in phishing assaults exploiting the CrowdStrike update mishap to disseminate stealer malware –

• A phishing domain crowdstrike-office365[.]com that hosts deceptive archive files with a Microsoft Installer (MSI) loader executing a common info stealer named Lumma.

• A ZIP file (“CrowdStrike Falcon.zip”) containing a Python-powered info stealer recognized as Connecio that gathers system data, external IP address, and information from multiple web browsers, sending them to SMTP accounts listed on a Pastebin secret URL.

George Kurtz, the CEO of CrowdStrike, revealed that 97% of the Windows devices affected during the global IT downtime have been restored.

“At CrowdStrike, our objective is to gain your confidence by protecting your operations. I deeply regret the disruption caused by this downtime and extend my apologies to all those affected,” mentioned Kurtz emphasizing. “While perfection can’t be guaranteed, a prompt, efficient, and urgent response is assured.”

Previously, Shawn Henry, the company’s chief security officer, expressed remorse for failing to “shield honorable individuals from malicious activities,” acknowledging that they had “let down the very people they promised to safeguard.”

“The trust we painstakingly built over time was shattered within hours, and it was a painful blow,” admitted Henry addressing. “Our commitment is to regain your trust by providing the necessary protection to thwart adversaries targeting you. Despite the setback, the mission persists.”

Meanwhile, an analysis by Bitsight on CrowdStrike machines’ traffic patterns worldwide has unearthed two intriguing data points necessitating further scrutiny.

“Initially, on July 16 around 22:00, a significant spike in traffic was observed, followed by a noticeable decline in outgoing traffic from organizations to CrowdStrike,” highlighted security researcher Pedro Umbelino pointing out. “Secondly, after the inception of the 19th, a significant reduction of 15% to 20% in the quantity of distinct IPs and businesses linked to CrowdStrike Falcon servers was recorded.”

“While the root cause of the traffic irregularities on the 16th cannot be conclusively determined, it poses the fundamental question of ‘Is there a possible link between the activity on the 16th and the outage on the 19th?'”