Threat Actors Impersonate Security Vendor to Spread Malicious Payloads
Cybercriminals have been taking advantage of the widespread disruption caused by CrowdStrike’s faulty software update on July 21st to distribute malware and data wiping tools targeting organizations. In the aftermath of CrowdStrike’s glitch that crashed Windows systems globally, threat actors have been sending phishing emails impersonating the security vendor in order to distribute malicious payloads.
As companies impacted by CrowdStrike’s update outage scrambled to recover systems and restore normal operations, cybercriminals seized the opportunity to exploit the situation. Researchers have observed a rise in phishing messages pretending to offer help from CrowdStrike but instead aimed to install remote access tools (RATs) and destructive malware on victims’ devices.
Fake CrowdStrike Hotfixes Spread Remote Access Trojan and Data Wiper
One such campaign distributed a fake CrowdStrike hotfix that installed the Remcos RAT when downloaded, as observed by researcher g0njxa and automated analysis platform AnyRun. The malware payload was delivered via a phishing website impersonating Spanish bank BBVA, telling employees and partners to install the fake update in order to avoid connectivity issues with the company’s network.
In another incident, threat actors distributed a data wiping malware file under the guise of an urgent update from CrowdStrike. According to a warning from AnyRun, the malicious executable would overwrite files on the infected system with zero bytes to destroy the data before transmitting a report over Telegram.
This campaign was carried out by the pro-Iranian hacker group Handala, who sent phishing emails to Israeli companies containing a link to download the “Crowdstrike.exe” file harboring the data wiping malware.
CrowdStrike Outage Impact Spanned Millions of Devices and Critical Industries
The original CrowdStrike software update issue turned out to be highly disruptive, affecting an estimated 8.5 million Windows devices globally according to Microsoft. Despite accounting for less than 1% of all Windows systems, the outage severely impacted operations across multiple critical industries from 04:09 to 05:27 UTC on July 21st. Computer crashes led to flight cancellations, disrupted financial services providers and hospitals, brought down rail and emergency services in some areas.
In the aftermath, CrowdStrike detailed how a faulty channel file update introduced a logic error that caused devices to crash. While the problematic update has since been pulled, the substantial business disruption and challenges in recovering impacted systems left openings for threat actors to conduct social engineering and malware distribution campaigns impersonating the security vendor.
Organizations are advised to be highly cautious of any unsolicited communications claiming to be from CrowdStrike, and to only take guidance from official support channels. The fake CrowdStrike update attacks demonstrate how cybercriminals exploit windows of opportunity during times of turmoil.
