These outages, whether planned or accidental, create a vulnerable window that attackers are increasingly exploiting. This blog will dive into the newest trend in cybercrime: leveraging IT outages to deploy malware, and offer insights into how organizations can protect themselves.
Introduction
Cybercriminals have taken advantage of the recent IT outage, using the chaos as a smokescreen to deploy the malicious data wiper known as HatefWiper disguised as a CrowdStrike Updater. These outages can occur due to various reasons such as system updates, hardware failures, or unexpected power cuts. During these periods, security measures may be relaxed, and systems might be temporarily down or in a rebooting state, creating a gap in defenses that cybercriminals can exploit.
Cybercriminal Strategies During IT Outages
Cybercriminals have developed sophisticated methods to take advantage of periods of vulnerability during IT outages. These tactics exploit the temporary lapses in security and the urgency to restore normal operations, increasing the likelihood of successful malware deployment. Here are some of the primary strategies:
Phishing Attacks
Within hours of the disruption, phishing emails mimicking CrowdStrike support began circulating. These emails urged recipients to download fake "hotfix" updates to resolve the BSOD issue. Unsuspecting users who followed these instructions ended up installing malware instead. These malicious updates appeared highly convincing, often mimicking official communications from CrowdStrike.
In our previous blog, we highlighted some of the newly created domains that can and may be used for phishing attacks.
Malicious Updates
Attackers used these fake updates to deploy various types of malware, including Remote Access Trojans (RATs) like Remcos, and even data wipers designed to destroy data on infected systems. For instance, a phishing site masquerading as an internal portal for BBVA bank distributed a fake CrowdStrike hotfix that installed Remcos RAT, granting attackers remote access to compromised systems.
CrowdStrike Updater Analysis: Chaos as a Smokescreen
We have a sample of the CrowdStrike.exe updater that we will be examining for this section. The malicious malware is included in a zip package called "update.zip" which cybercriminals utilized to take advantage of the current turmoil and trick users into fixing their endpoint’s BSOD (blue screen of death) issue.
The following instance notifies the user that an update is currently underway through a message box that appears upon execution.
Network Traffic
While monitoring network activity, we discovered that this sample tried to connect to certain IP addresses and the domain name "XLuvBdVPcngNKMPfoEAAut.XLuvBdVPcngNKMPfoEAAuT" which is related with HatefWiper malware. We also noticed that this virus communicates to a nonstandard port, 1900, which is generally used for UPNP. If this port is accessible, programs can request dynamic incoming port forwarding, which malware can use to get access to your machine via the internet—a common botnet configuration. This introduces an easily exploited security flaw for any network-connected machine.
A record of suspicious activity regarding with the IP addresses used by EnemyBot malware, an IoT botnet used for DDoS attacks.
Process and File Creations
After running the sample, we discovered that a "cmd.exe" process was launched, which performed multiple commands, including combinations of "tasklist.exe" and "findstr.exe". Before executing, the sample was scanned for popular antivirus software names. This approach is often used in malware for discovery and impairing defenses.
It also creates multiple files in the "%localappdata%\Temp" path, including a directory containing several interesting binaries named "Champion.pif" with an odd file extension; it turns out that this file is a program that converts scripts into standalone.exe files. AutoIt Downloads - AutoIt
AutoIt.exe masquerading as “Champion.pif” binary.
Sigma Rules
Sigma rules are a powerful tool for threat detection and response. These rules offer a standardized way to define search patterns for various security events, making it easier to detect and respond to threats across different SIEM (Security Information and Event Management) systems.
We have created sample Sigma rules for HatefWiper’s aka CrowdStrike updater IOCs.
CrowdStrike Updater - ‘cmd.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-CMD-Redirect.yml at main · SecurityBlueTeam/sigma-rules
CrowdStrike Updater - ‘tasklist.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-Tasklist-Redirect.yml at main · SecurityBlueTeam/sigma-rules
CrowdStrike Updater - ‘findstr.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-Findstr-Recon.yml at main · SecurityBlueTeam/sigma-rules
Endpoint IOCs
Filename | SHA256 |
Carroll.cmd | 1fa1f7f0089f89e07406412c257ae546bb9728f7055f804e800e6c41a682c882 |
Viagra | d1fbe283ccd1db36bc91000cfb3694030dcc026fa1987118994b36c37e970e72 |
Acrobat | b09c0e4e65b615b4a957ab44e59ecca0ca2a789ae22c8af13c1b6846b0697e5e |
Ah | 023a48297f82fdb98e70645fca8703c1e0cc04835b166652cb155ec4850506b5 |
CrowdStrike.exe | 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3 |
Deeper | d2e56eccbe919716f7e2a961290e740da9719893f57e2e70d0e59971b5910889 |
Democracy | 8f444581168196c045fabde65f1c0667154afe2fe6302e7ff342aefd3b6b829d |
Develops | 88c137e5726172061f509246ada7d2d3cb8e5dabcf35cadf1d49c49b073a80a4 |
Ferry | 11bde3af35bd166fea20604167525cc28a2eb2fd0bc66b054c190af00447f50c |
Fu | 379d9e9e4e9df9c19a992c94fbf6ded32d00af9df1b9c758f1ef1e7ecc9354e4 |
Gov | 3b5cdbe38b52a00825da484f31421942a3ee67f7576abab754b2b56b4ae62430 |
Guest | 6d1c8eac247de123d533e26eba1bfddc1158acd0aa15e215bc33632bd0a8f2cd |
Halo | 5010762dc34eb3679afe29cda9c2040309d8a784bea758f64ed4977773c20465 |
Handle | 2fa5dfe0785e6e2ee3cf30277e09bdb46d2b7fc096d40d6aaf78ec27f5b6b68b |
Honda | 547ae8f99a07865535955a2b3913c9f8d5b06eb08afe36816f60841e19024cd0 |
Hub | a512fed0ed89a361c73452e6f8c4c4abae1442a38d2f2d152065e96b29f2ea65 |
Job | 44135e9284ef8eefdc9076514d9c79699a7326ae2acf95d03fa19cea2057e10a |
Jul | 528c3017ce896bd42cad6aa9199f0a14b0673a27618a6d3cd4c16dde4da903be |
Lasting | 01f2d93d90f2f593356b9328a1225469d42186a5b664e3a05bc4e5236e9cd03f |
Moreover | e5dc3c6c185c46fb75c682327750a542d0a84f7c17caa39469755eadeef37ba7 |
Number | ad9a2bd7c9ccc68820ddcbeb670f097fdd4c6be734c46cb4236970846f293645 |
readme.txt | 0669032d8c32878a67fb53749ced98e9da367fbca64caa31f89fb1c6115296f1 |
Recipes | 221eee5a84fde75849816cdbb84f723e5c96a3e81922692db21e7844b8537a04 |
Relative | 5b40c05d64f0a1e5a32ca865b3ce9bf6f3747239a56a17eff1f91de491d0ed4c |
Ripe | 24001792498c0d036909d29887678e7f123276bec12aa7b11a1b3b082d4a2b8b |
Sept | 1e8c217df502d035ea3b1ac2212c20c9b9da4dd6ff81d1c3c41a0af00d8c0d5d |
Str | c84293bc09732e5ccf75a5fef59c6d8d6a2642fd8336095d958524bf2d080831 |
Treating | 471ab5de9cefdf6bb286ec34f9271831d7cdd5fa3d40aebd2dbf5073716834ca |
Ukraine | 2257514dce367d7dda399f81559fe3212eac73f4f6d4cf4c615907d9e80bffee |
Vision | 3621fccf1387fc43ff51f6c6e475cc6aae507982f52a989508667557f3b40cb0 |
Wave | c5a836d0021a235d4fc30764dfd4a2abb33b23ca25f4dca4a9ba7a8423f7753e |
Champion.pif | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
L | 6f3428555b02970c6f0e0cd40e5d7296bd5cd6326a8cc197ca1aa9025091318b |
Network IOCs
IOCs | Description |
XLuvBdVPcngNKMPfoEAAut.XLuvBdVPcngNKMPfoEAAuT | Unknown |
149[.]154[.]167[.]220 | Joe Sandbox Analysis (Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox ) |
104[.]16[.]185[.]241 | Joe Sandbox Analysis(Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox ) |
Conclusion
These outages are unpredictable. In today’s world, we heavily rely on new technologies and their implementations, maximizing tool capabilities. We often forget that these technologies are still operated by human expertise. Humans are vulnerable to making mistakes, and this vulnerability is often exploited by cybercriminals for their own agendas.
Let's use this event—the latest global outage that delayed flights and brought hospitals and other organizations to their knees—to become more aware of the lurking threats waiting to exploit such situations. As a team, we want to contribute to this quick research on some of the malware being deployed while mimicking helpful software. To our CrowdStrike folks, who experience no weekends, sleep, or important family gatherings just to help mitigate this incident. We salute you.
To organizations: Be aware and put proper controls and detection in place to avoid further damage. To all people: As we globally share this issue, with millions being affected, we must practice the shared responsibility model. Help as you can. In these times, it is more important to put our heads down, work, and contribute rather than point fingers. Cheers!
If you found this topic fascinating and want to dive deeper into understanding this malware, Blue Team Labs Online offers an exciting lab called StrikeCrowd. Here, you'll get the chance to analyze this sample firsthand. Challenge yourself and see what you can uncover! Simply log in or sign up for a BTLO account today to get started!
Contributors
Renmarc Andrada, Defensive Content Engineer
Malik Girondin, Defensive Content Engineer
Luis Suastegui, Junior Defensive Content Engineer
References
Fake CrowdStrike fixes target companies with malware, data wipers
CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop
Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox
https://bazaar.abuse.ch/sample/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
About SBT
Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.