CrowdStrike warns of new phishing scam targeting German customers

July 26, 2024Mohit KumarEnterprise Security / Network Security

CrowdStrike is warning about an unknown entity attempting to exploit the Falcon Sensor update fiasco to distribute suspicious installers aimed at German customers in a highly targeted campaign.

The cybersecurity firm reported that it had detected a spear phishing attempt on July 24, 2024, that it could not identify. It involved distributing a fake CrowdStrike Crash Reporter installer via a website impersonating an unknown German entity.

The website scam allegedly originated on July 20, a day after a botched update crashed nearly 9 million Windows devices, causing major disruptions to IT systems worldwide.

“Once a user clicks the Download button, the site uses JavaScript (JS) disguised as JQuery v3.7.1 to download the installer and decrypt the code,” CrowdStrike’s Counter Adversary Operations team reported.

“The installer contains CrowdStrike branding, a German localization, and a password (is) required to continue installing the malware.”

Specifically, the phishing page contained a link to download a ZIP archive file containing the malicious InnoSetup installer, with the malicious code delivering an executable injected into a JavaScript file named “jquery-3.7.1.min.js” to avoid detection.

Users who run the fake installer are then prompted to enter “Backend-Server” to continue. CrowdStrike reported that it was unable to recover the final payload deployed via the installer.

The campaign is rated as highly targeted due to the fact that the installer is password-protected and requires input that is likely known only to the target entities. Additionally, the presence of German language suggests that the activity is aimed at German-speaking CrowdStrike customers.

“The threat actor appears to be highly aware of operational security (OPSEC) practices, as they have focused on anti-forensics techniques during this campaign,” CrowdStrike said.

“For example, the actor registered a subdomain under the it(.)com domain, preventing historical analysis of domain registration details. Additionally, encrypting the installer content and preventing further actions without a password prevents further analysis and attribution.”

The development comes amid a wave of phishing attacks exploiting a CrowdStrike update issue to spread stealth malware –

• The crowdstrike-office365(.)com phishing domain, which stores fake archive files containing a Microsoft Installer (MSI) loader that ultimately runs a commodity information stealer called Lumma.

• A ZIP file (“CrowdStrike Falcon.zip”) containing a Python-based information stealer called Connecio, which collects system information, external IP address, and data from various web browsers and then uploads it to SMTP accounts listed in a Pastebin URL.

CrowdStrike CEO George Kurtz on Thursday said 97% of Windows devices that were knocked offline during the global IT outage are now operational.

“At CrowdStrike, our mission is to earn trust by protecting your operations. I am deeply sorry for the disruption this outage has caused, and I personally apologize to everyone affected,” Kurtz said. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”

Earlier, the company’s chief security officer Shawn Henry apologized for failing to “protect good people from bad things” and for “failing those we’re sworn to protect.”

“The confidence we had built in drips over the years was lost in buckets in a matter of hours, and that was a gut punch,” Henry admitted. “We are committed to earning back your trust by providing the protection you need to destroy the adversaries that attack you. Despite this setback, the mission continues.”

Meanwhile, Bitsight’s analysis of traffic patterns generated by CrowdStrike machines across organizations worldwide has revealed two “interesting” data points that warrant further investigation.

“First, there was a huge increase in traffic around 10 p.m. on July 16, followed by a clear and significant drop in traffic from organizations to CrowdStrike,” said security researcher Pedro Umbelino. “Second, there was a significant drop, between 15% and 20%, in the number of unique IP addresses and organizations connecting to CrowdStrike Falcon servers after the dawn of the 1800s.”

“While we cannot say for sure what the main cause of the change in traffic on the 16th was, it is nevertheless a valid question: Is there a connection between the observations on the 16th and the power outage on the 19th?”