Jump to content
  • Cybercriminals exploit CrowdStrike chaos to spread Crowdstrike-hotfix.zip malware

    aum

    • 270 views
    • 2 minutes
     Share


    • 270 views
    • 2 minutes

    On Thursday, cybersecurity company CrowdStrike released a problematic update to its Falcon Sensor agent on Windows, causing major disruptions to the day-to-day operations of various organizations, including banks, airlines, and media companies. This problematic update caused nearly 8.5 million Windows PCs to continuously reboot with error code 0x50 or 0x7E Blue Screen of Death (BSOD) errors.

    Since then, CrowdStrike and Microsoft have provided guidance to affected customers to recover their PCs. You can check out CrowdStrike's official guide here and Microsoft's official guide here.

     

    While the world scrambles to fix the CrowdStrike-affected PCs, cybercriminals are taking advantage of this critical situation. CrowdStrike noticed that cybercriminals are distributing a malicious ZIP archive named crowdstrike-hotfix.zip (SHA256 hash: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2).

     

    The crowdstrike-hotfix.zip archive is malware and contains a HijackLoader payload that loads RemCos. CrowdStrike believes that the Spanish filenames and instructions within the ZIP archive indicate this campaign likely targets Latin America-based (LATAM) CrowdStrike customers.

     

    In addition to the malware campaign, cybercriminals are also targeting CrowdStrike customers with phishing campaigns. They are sending phishing emails posing as CrowdStrike support, impersonating CrowdStrike employees in phone calls, posing as independent researchers to offer remediation insights, and even selling scripts to automate recovery from the CrowdStrike update issue.

     

    The following malicious domains were recently created for phishing campaigns:

     

    crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com

    crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com

    www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com

    crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com

    crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-

    crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com

    crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com

    crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com

    crowdstrikefix[.]zip crowdstrikereport[.]com

     

    CrowdStrike advises its customers to connect with CrowdStrike representatives only through official channels and stick to technical guidance provided by CrowdStrike and Microsoft. Microsoft has also recently updated their guide to offer an automated method involving recovery drives, which you can read about here.

     

    While CrowdStrike and Microsoft have worked to mitigate the immediate damage, the ongoing phishing and malware campaigns underscore the persistence of cybercriminals seeking to capitalize on chaos.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...