In a recent incident on July 19, 2024, a malfunctioning CrowdStrike Falcon® sensor update caused a massive IT outage affecting Windows operating systems worldwide. While this outage was a result of a technical glitch, it has created an opportunity for malicious actors to exploit the situation, especially targeting CrowdStrike’s Latin American (LATAM) clients.
CrowdStrike Intelligence has uncovered the distribution of a deceptive ZIP file named “crowdstrike-hotfix.zip” containing a payload meant to deploy the RemCos RAT (remote access tool). This malware-laden file, featuring Spanish filenames and instructions, appears to be specifically tailored for LATAM users. The file was initially shared by a submitter based in Mexico, who uploaded it to an online malware-scanning service.
The attack process commences with the execution of Setup.exe, which utilizes DLL search-order hijacking to load HijackLoader, posing as a private crypting service called ASMCrypt. HijackLoader is adept at avoiding detection and proceeds to execute the final RemCos payload, establishing a connection to a command-and-control server at 213.5.130.58:433, enabling the attacker to take control of the infected systems.
Multiple cybersecurity agencies such as the U.S. Cyber Defense Agency, the U.K.’s National Cyber Security Centre, and Australia’s National Anti-Scam Centre have all issued warnings urging vigilance against such scams. They have highlighted the prevalence of phishing emails, fraudulent support calls, and fake remediation service offers as common tactics used in these malicious activities. The recommended approach is to directly contact businesses through their verified communication channels rather than responding to unsolicited messages.
CrowdStrike has set up a “Remediation and Guidance Hub” to aid affected individuals, while Microsoft has released updated support guides to assist users. Both organizations emphasize the importance of verifying the legitimacy of all communications and refraining from hasty actions prompted by suspicious messages.
To mitigate the risks posed by such threats, it is essential to adhere to certain security practices such as staying alert to potential phishing attempts, validating the authenticity of communications, refraining from downloading files from untrustworthy sources, and promptly reporting any suspected scams to relevant authorities.
By maintaining awareness and following these cybersecurity protocols, users can safeguard themselves against falling victim to malicious activities like the distribution of the “crowdstrike-hotfix.zip” file. Stay informed, stay vigilant, and prioritize your digital security in an increasingly interconnected world.