CrowdStrike has issued a warning about a new threat actor taking advantage of the Falcon Sensor update incident to distribute suspicious installers aimed at German customers in a highly targeted campaign. The cybersecurity firm detected an unattributed spear-phishing attempt on July 24, 2024, distributing a fake CrowdStrike Crash Reporter installer through a website impersonating a German entity.
The imposter website was created on July 20, following the update crash that affected millions of Windows devices globally. According to CrowdStrike’s Counter Adversary Operations team, the website uses JavaScript to download and deobfuscate the installer, which requires a password to proceed with the malware installation. The spear-phishing page includes a link to a ZIP archive file containing a malicious InnoSetup installer, with the executable code injected into a JavaScript file to evade detection. Users who run the bogus installer are prompted to enter a “Backend-Server” to continue, but the final payload deployed remains unknown.
Phishing Attacks Exploiting CrowdStrike Update Issue
The campaign is believed to be highly targeted due to the password protection and German language used, indicating a focus on German-speaking CrowdStrike customers. The threat actor demonstrates awareness of operational security practices by registering a subdomain under the it[.]com domain and encrypting the installer contents to prevent analysis and attribution.
A phishing domain crowdstrike-office365[.]com hosts rogue archive files containing a Microsoft Installer (MSI) loader that executes the Lumma information stealer. A ZIP file (“CrowdStrike Falcon.zip”) contains a Python-based information stealer known as Connecio, which collects system information and exfiltrates it to SMTP accounts.
CrowdStrike’s CEO George Kurtz announced that 97% of the affected Windows devices are now operational following the global IT outage caused by the update issue. Kurtz expressed regret for the disruption and assured a focused and urgent response to regain trust. Chief Security Officer Shawn Henry also apologized for the incident and pledged to deliver better protection against adversaries.
Bitsight’s Analysis Reveals Traffic Patterns of CrowdStrike Machines
Bitsight’s analysis of CrowdStrike machines across organizations globally highlighted significant traffic spikes and drops before and after the IT outage, prompting further investigation into potential correlations. Security researcher Pedro Umbelino emphasized the need to explore the connection between traffic patterns and the outage to better understand the events.
For more exclusive content, follow us on Twitter and LinkedIn.