CrowdStrike Confusion Continues: Cyberattackers Launch CrowdStrike-Hotfix Malware

CrowdStrike Confusion Continues

Cyber Threat Radar – Experts have stated that the global IT outage caused by the faulty CrowdStrike software update may have occurred due to the update skipping necessary checks before deployment.

A warning has also been issued regarding malicious websites that claim to fix devices.

8.5 million Microsoft Windows PCs Across Globe Affected

Approximately 8.5 million Microsoft Windows PCs across the globe experienced issues due to an update released by cybersecurity company CrowdStrike. This update caused disruptions for airports, broadcasters, hospitals, and various businesses. The problems became apparent shortly after the deployment of the most recent version of CrowdStrike’s Falcon sensor software on Friday.

The intention behind the update was to enhance system security against hacking attempts; however, it inadvertently led to devices showing a “blue screen of death” as a result of flawed code.

CrowdStrike-Hotfix Malware With HijackLoader Payload

CrowdStrike’s attempts to enhance client security against hacking have unfortunately resulted in unintended consequences, as malicious websites are now exploiting the incident to distribute unofficial code purportedly addressing any existing vulnerabilities.

CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos (acronym of Remote Control & Surveillance Software). Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers.

Remcos is a commercial Remote Access Tool to remotely control computers, and is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns. Once installed, it opens a backdoor on the computer, granting full access to the remote user.

The Australian Signals Directorate’s cybersecurity centre highly recommends that consumers obtain their technical information and updates exclusively from official CrowdStrike sources.

“The Magnitude Of The Recent Event Is Unparalleled”

“Various security companies, not just CrowdStrike, have been known to cause Windows crashes,” commented Tim Royston-Webb, CEO, SentryBay. “In the past, updates to Windows Defender, the built-in antivirus software, have also led to Blue Screen of Death crashes. Every security provider has experienced similar incidents. While this is not a new occurrence, the magnitude of the recent event is unparalleled.”