Chaos as a Smokescreen: Malware Deployed as CrowdStrike Updater

SBT Content Engineers 26/07/2024
Chaos as a Smokescreen: Malware Deployed as CrowdStrike Updater

In recent events, IT outages have become not only a significant inconvenience for businesses but also an opportunity for cybercriminals to deploy malware.

These outages, whether planned or accidental, create a vulnerable window that attackers are increasingly exploiting. This blog will dive into the newest trend in cybercrime: leveraging IT outages to deploy malware, and offer insights into how organizations can protect themselves.

Introduction

Cybercriminals have taken advantage of the recent IT outage, using the chaos as a smokescreen to deploy the malicious data wiper known as HatefWiper disguised as a CrowdStrike Updater. These outages can occur due to various reasons such as system updates, hardware failures, or unexpected power cuts. During these periods, security measures may be relaxed, and systems might be temporarily down or in a rebooting state, creating a gap in defenses that cybercriminals can exploit.

Cybercriminal Strategies During IT Outages

Cybercriminals have developed sophisticated methods to take advantage of periods of vulnerability during IT outages. These tactics exploit the temporary lapses in security and the urgency to restore normal operations, increasing the likelihood of successful malware deployment. Here are some of the primary strategies:

Phishing Attacks

Within hours of the disruption, phishing emails mimicking CrowdStrike support began circulating. These emails urged recipients to download fake "hotfix" updates to resolve the BSOD issue. Unsuspecting users who followed these instructions ended up installing malware instead. These malicious updates appeared highly convincing, often mimicking official communications from CrowdStrike.

In our previous blog, we highlighted some of the newly created domains that can and may be used for phishing attacks.

Example of newly created domain

Malicious Updates

Attackers used these fake updates to deploy various types of malware, including Remote Access Trojans (RATs) like Remcos, and even data wipers designed to destroy data on infected systems. For instance, a phishing site masquerading as an internal portal for BBVA bank distributed a fake CrowdStrike hotfix that installed Remcos RAT, granting attackers remote access to compromised systems.

CrowdStrike Updater Analysis: Chaos as a Smokescreen

We have a sample of the CrowdStrike.exe updater that we will be examining for this section. The malicious malware is included in a zip package called "update.zip" which cybercriminals utilized to take advantage of the current turmoil and trick users into fixing their endpoint’s BSOD (blue screen of death) issue.

The following instance notifies the user that an update is currently underway through a message box that appears upon execution.

Example of an update currently underway through a message box that appears upon execution

Network Traffic

While monitoring network activity, we discovered that this sample tried to connect to certain IP addresses and the domain name "XLuvBdVPcngNKMPfoEAAut.XLuvBdVPcngNKMPfoEAAuT" which is related with HatefWiper malware. We also noticed that this virus communicates to a nonstandard port, 1900, which is generally used for UPNP. If this port is accessible, programs can request dynamic incoming port forwarding, which malware can use to get access to your machine via the internet—a common botnet configuration. This introduces an easily exploited security flaw for any network-connected machine.

Image of monitoring network activity and which applications are accessing the network

Image of the IP addresses the network traffic is communicating

A record of suspicious activity regarding with the IP addresses used by EnemyBot malware, an IoT botnet used for DDoS attacks

A record of suspicious activity regarding with the IP addresses used by EnemyBot malware, an IoT botnet used for DDoS attacks.

Process and File Creations

After running the sample, we discovered that a "cmd.exe" process was launched, which performed multiple commands, including combinations of "tasklist.exe" and "findstr.exe". Before executing, the sample was scanned for popular antivirus software names. This approach is often used in malware for discovery and impairing defenses.

Running the samples found in the cmd.exe

It also creates multiple files in the "%localappdata%\Temp" path, including a directory containing several interesting binaries named "Champion.pif" with an odd file extension; it turns out that this file is a program that converts scripts into standalone.exe files. AutoIt Downloads - AutoIt 

Image showing the localappdate pathways and odd file extensions
AutoIt.exe masquerading as “Champion.pif” binary.

AutoIt.exe masquerading as “Champion.pif” binary.

Sigma Rules

Sigma rules are a powerful tool for threat detection and response. These rules offer a standardized way to define search patterns for various security events, making it easier to detect and respond to threats across different SIEM (Security Information and Event Management) systems.

We have created sample Sigma rules for HatefWiper’s aka CrowdStrike updater IOCs.

CrowdStrike Updater - ‘cmd.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-CMD-Redirect.yml at main · SecurityBlueTeam/sigma-rules

CrowdStrike Updater - ‘tasklist.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-Tasklist-Redirect.yml at main · SecurityBlueTeam/sigma-rules

CrowdStrike Updater - ‘findstr.exe' use cases detection sigma-rules/T1082.T1057!CrowdStrikeUpdater/Sigma-Findstr-Recon.yml at main · SecurityBlueTeam/sigma-rules

Endpoint IOCs

FilenameSHA256

Carroll.cmd

1fa1f7f0089f89e07406412c257ae546bb9728f7055f804e800e6c41a682c882

Viagra

d1fbe283ccd1db36bc91000cfb3694030dcc026fa1987118994b36c37e970e72

Acrobat

b09c0e4e65b615b4a957ab44e59ecca0ca2a789ae22c8af13c1b6846b0697e5e

Ah

023a48297f82fdb98e70645fca8703c1e0cc04835b166652cb155ec4850506b5

CrowdStrike.exe

4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3

Deeper

d2e56eccbe919716f7e2a961290e740da9719893f57e2e70d0e59971b5910889

Democracy

8f444581168196c045fabde65f1c0667154afe2fe6302e7ff342aefd3b6b829d

Develops

88c137e5726172061f509246ada7d2d3cb8e5dabcf35cadf1d49c49b073a80a4

Ferry

11bde3af35bd166fea20604167525cc28a2eb2fd0bc66b054c190af00447f50c

Fu

379d9e9e4e9df9c19a992c94fbf6ded32d00af9df1b9c758f1ef1e7ecc9354e4

Gov

3b5cdbe38b52a00825da484f31421942a3ee67f7576abab754b2b56b4ae62430

Guest

6d1c8eac247de123d533e26eba1bfddc1158acd0aa15e215bc33632bd0a8f2cd

Halo

5010762dc34eb3679afe29cda9c2040309d8a784bea758f64ed4977773c20465

Handle

2fa5dfe0785e6e2ee3cf30277e09bdb46d2b7fc096d40d6aaf78ec27f5b6b68b

Honda

547ae8f99a07865535955a2b3913c9f8d5b06eb08afe36816f60841e19024cd0

Hub

a512fed0ed89a361c73452e6f8c4c4abae1442a38d2f2d152065e96b29f2ea65

Job

44135e9284ef8eefdc9076514d9c79699a7326ae2acf95d03fa19cea2057e10a

Jul

528c3017ce896bd42cad6aa9199f0a14b0673a27618a6d3cd4c16dde4da903be

Lasting

01f2d93d90f2f593356b9328a1225469d42186a5b664e3a05bc4e5236e9cd03f

Moreover

e5dc3c6c185c46fb75c682327750a542d0a84f7c17caa39469755eadeef37ba7

Number

ad9a2bd7c9ccc68820ddcbeb670f097fdd4c6be734c46cb4236970846f293645

readme.txt

0669032d8c32878a67fb53749ced98e9da367fbca64caa31f89fb1c6115296f1

Recipes

221eee5a84fde75849816cdbb84f723e5c96a3e81922692db21e7844b8537a04

Relative

5b40c05d64f0a1e5a32ca865b3ce9bf6f3747239a56a17eff1f91de491d0ed4c

Ripe

24001792498c0d036909d29887678e7f123276bec12aa7b11a1b3b082d4a2b8b

Sept

1e8c217df502d035ea3b1ac2212c20c9b9da4dd6ff81d1c3c41a0af00d8c0d5d

Str

c84293bc09732e5ccf75a5fef59c6d8d6a2642fd8336095d958524bf2d080831

Treating

471ab5de9cefdf6bb286ec34f9271831d7cdd5fa3d40aebd2dbf5073716834ca

Ukraine

2257514dce367d7dda399f81559fe3212eac73f4f6d4cf4c615907d9e80bffee

Vision

3621fccf1387fc43ff51f6c6e475cc6aae507982f52a989508667557f3b40cb0

Wave

c5a836d0021a235d4fc30764dfd4a2abb33b23ca25f4dca4a9ba7a8423f7753e

Champion.pif

865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

L

6f3428555b02970c6f0e0cd40e5d7296bd5cd6326a8cc197ca1aa9025091318b

Network IOCs

IOCs

Description

XLuvBdVPcngNKMPfoEAAut.XLuvBdVPcngNKMPfoEAAuT

Unknown

149[.]154[.]167[.]220

Joe Sandbox Analysis (Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox )

104[.]16[.]185[.]241

Joe Sandbox Analysis(Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox )

Conclusion

These outages are unpredictable. In today’s world, we heavily rely on new technologies and their implementations, maximizing tool capabilities. We often forget that these technologies are still operated by human expertise. Humans are vulnerable to making mistakes, and this vulnerability is often exploited by cybercriminals for their own agendas.

Let's use this event—the latest global outage that delayed flights and brought hospitals and other organizations to their knees—to become more aware of the lurking threats waiting to exploit such situations. As a team, we want to contribute to this quick research on some of the malware being deployed while mimicking helpful software. To our CrowdStrike folks, who experience no weekends, sleep, or important family gatherings just to help mitigate this incident. We salute you.

To organizations: Be aware and put proper controls and detection in place to avoid further damage. To all people: As we globally share this issue, with millions being affected, we must practice the shared responsibility model. Help as you can. In these times, it is more important to put our heads down, work, and contribute rather than point fingers. Cheers!

If you found this topic fascinating and want to dive deeper into understanding this malware, Blue Team Labs Online offers an exciting lab called StrikeCrowd. Here, you'll get the chance to analyze this sample firsthand. Challenge yourself and see what you can uncover! Simply log in or sign up for a BTLO account today to get started! 

Contributors

Renmarc Andrada, Defensive Content Engineer

Malik Girondin, Defensive Content Engineer

Luis Suastegui, Junior Defensive Content Engineer

References

Fake CrowdStrike fixes target companies with malware, data wipers

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

Automated Malware Analysis Report for CrowdStrike.exe - Generated by Joe Sandbox

https://bazaar.abuse.ch/sample/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0

About SBT

Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.

About SBT Content Engineers

SBT Content Engineers

The Content Engineers at SBT stay on top of the latest industry news and cybersecurity trends, to bring fresh labs, blog content, and free resources for the benefit of our learning community.