Executive Summary
At Excalibur AI, we are dedicated to staying at the forefront of cybersecurity by providing timely information on the latest threats facing organizations worldwide. Recently, cybercriminals have capitalized on a global issue concerning the Windows Blue Screen of Death (BSOD) to launch a sophisticated phishing campaign. This campaign has primarily involved two key threat actors: the Handala Group, known for their deployment of wiper malware, and another unnamed group using the Remcos Remote Access Trojan (RAT) to target CrowdStrike customers in Latin America. Additionally, there has been a significant increase in the registration of phishing domains impersonating CrowdStrike. These developments highlight the rapidly evolving tactics of cyber adversaries and underscore the importance of maintaining vigilant cybersecurity measures.
Introduction
The Windows BSOD Outage: A Cybersecurity Alert
Recently, a widespread issue involving the Windows Blue Screen of Death (BSOD) has caused significant disruptions to systems worldwide. This critical system error has rendered countless devices inoperable, leading to widespread confusion and a desperate search for solutions. Cybercriminals have seized this opportunity to launch a sophisticated phishing campaign, exploiting the confusion and urgency of the situation.
These malicious actors are distributing a fake update for the CrowdStrike Falcon sensor, falsely claiming it will resolve the BSOD issue. The campaign involves sending deceptive emails and messages, posing as communications from CrowdStrike, a reputable cybersecurity company. These phishing emails are crafted to appear legitimate, featuring the CrowdStrike logo and branding, and promise a critical update to fix the BSOD problem.
Cyber Threats Involved
In addition to the phishing campaign, two significant threats have been identified:
Wiper Malware by Handala Group: The Handala Group has deployed wiper malware, resulting in the loss of terabytes of data for affected organizations. This malware wipes critical information, causing severe operational disruptions.
Remcos RAT Targeting Latin American Organizations: Another threat actor has exploited the situation by installing the Remcos Remote Access Trojan (RAT) in Latin American organizations under the guise of a CrowdStrike update. This malicious software allows attackers to remotely control infected systems, leading to significant security breaches.
Furthermore, cybercriminals have registered numerous fake CrowdStrike domains to enhance the credibility of their phishing campaigns, increasing the likelihood of successful attacks. These incidents highlight the evolving tactics of cyber adversaries and the critical need for vigilant cybersecurity measures to protect against such sophisticated threats.
Handala Group Spreads Wiper Malware Disguised as CrowdStrike Update
The Handala Group, a well-known cyber threat actor, has recently executed a campaign deploying wiper malware disguised as a CrowdStrike update. Claiming responsibility through their Telegram group, Handala targeted thousands of Zionist organizations, resulting in substantial data loss amounting to several terabytes. The group's involvement has been publicly confirmed through announcements on their Telegram channel.
Malware Operation by Handala Breakdown
The phishing campaign uses a fake CrowdStrike domain, crowdstrike.com.vc, to trick customers into downloading a tool to fix a purported CrowdStrike issue. The emails contain a PDF with instructions for running the fake update and a link to download a malicious ZIP archive from a file hosting service. This ZIP file includes an executable named Crowdstrike.exe.
Initial Infection
Once the fake update is downloaded and executed, the malware begins its operation by establishing communication with external servers. This initial phase is crucial for the malware to gather information and prepare for further malicious actions.
Communication with Telegram Bot
One of the primary steps in the malware's operation is to establish contact with a Telegram bot. This communication channel is used to receive instructions and send back data from the infected system. Telegram bots are often used by cybercriminals due to their ease of use, reliability, and the ability to remain relatively anonymous.
Malware Tactic: Using icanhazip.com to Identify Public IP Addresses
The malware connects to icanhazip.com to obtain the public IP address of infected systems. This tactic allows cybercriminals to gather critical network information, enabling further exploitation or control of compromised devices.
Malware Tactic: Leveraging VBA Scripts for System Exploitation
The malware drops a VBA script into the system to execute its intended activities. This script automates malicious tasks, compromising the system's security and allowing the attacker to control or damage the affected machine. The use of VBA scripts demonstrates the malware's capability to exploit system vulnerabilities efficiently.
Analysis of VBA Script Dropped by the Malware
The VBA script performs several tasks, including:
Setting Variables: Variables like Walker, Mirrors, Bl, Frost, Cabin, Easy, Fridge, Rankings, Oils, H, Warehouse, Dumb, Traveler, Mcdonald, Accepts, Beastality, and Asia are set to various single-character values or strings.
Conditional Logic with tasklist: The tasklist command checks if certain processes are running. If such a process is found, specific variables are set for later use.
Creating a Directory: The script creates a directory based on the value of the Singh variable.
File Concatenation: It concatenates several strings or files and writes the result to a file in the Singh directory.
Purpose of the Script
The script appears to perform the following tasks:
Check for Specific Processes: It uses a tasklist to determine if certain processes are running, indicated by the pattern %Fridge%dst%Cabin%.
Set Variables Based on Conditions: Depending on the existence of those processes, it sets specific variables for later use.
Create a Directory: Creates a directory named based on a variable (%Singh%).
Concatenate Strings/Files: It concatenates several strings or files and writes the result to a file within the created directory.
Delay Execution: Introduces a delay, likely to wait for some operations to complete or to synchronize with other tasks.
Conclusion on Working of Script
The script is an obfuscated batch script designed to:
Check if specific processes are running.
Set variables based on the presence of those processes.
Create a directory.
Concatenate various strings or files into a single file within that directory.
Introduce a delay for synchronization or timing purposes.
TTPs (Tactics, Techniques, and Procedures):
Command and Control: T1102
System Information Discovery: T1082
Software Discovery: T1518
Masquerading: T1036
Virtualization/Sandbox Evasion: T1497
Unsecured Credentials: T1552
IOCs (Indicators of Compromise):
IPs: 149.154.167.220 104.16.185.241
Files: crowdStrike.exe: 755C0350038DAEFB29B888B6F8739E81 cmd.exe: D0FCE3AFA6AA1D58CE9FA336CC2B675B conhost.exe: 0D698AF330FD17BEE3BF90011D49251D Tasklist.exe: 0A4448B31CE7F83CB7691A2657F330F1 findstr.exe: F1D4BE0E99EC734376FDE474A8D4EA3E champion.pif: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11 RegAsm.exe: 0D5DF43AF2916F47D00C1573797C1A13 Timeout.exe: 976566BEEFCCA4A159ECBDB2D4B1A3E3
Malware Activities: A Breakdown of the Attack Process
The malicious executable begins its operation immediately upon launch, dropping the executable file and initiating CMD.EXE for command execution. It reads the date of Windows installation and checks the security settings of Internet Explorer, preparing for further actions.
The malware executes commands from a ".cmd" file and ensures its persistence by launching itself. It gathers information on running processes and either drops or overwrites executable content. Using 'findstr.exe', it searches for specific text patterns in files, outputting the results.
In its attempt to evade detection, the malware drops a file with a rarely used extension (PIF) and runs the executable file from the user directory via the CMD process. It engages in suspicious file concatenation and starts applications with unusual extensions.
To delay execution, it uses TIMEOUT.EXE and drops legitimate Windows executables to blend in with normal system activities. The malware even drops a system driver, possibly to evade defenses, and creates files with names similar to system files.
Finally, the malware starts Microsoft applications from unusual locations, further complicating detection efforts. Each of these activities reflects the sophisticated tactics employed by the malware to disrupt systems and evade security measures.
Malicious ZIP Archive Impersonating CrowdStrike Update Targets Latin American Users
Cybersecurity threats continue to evolve, with attackers leveraging trusted brands to deceive users. A recent campaign has been identified targeting Latin America-based CrowdStrike customers, utilizing the domain portalintranetgrupobbva.com to impersonate the well-known BBVA bank.
The Attack Vector
The malicious ZIP archive, named crowdstrike-hotfix.zip, contains Spanish-language instructions that direct users to execute a file purportedly to apply a “hotfix” for a CrowdStrike issue. However, instead of resolving any issue, the executable deploys the HijackLoader malware loader, which then installs and runs the RemCos RAT (Remote Access Trojan) from the attacker’s command-and-control (C2) server.
Notable Observations
Domain Impersonation: The attackers registered domains impersonating trusted entities like CrowdStrike and BBVA bank, enhancing their campaign's legitimacy.
Language Localization: By using Spanish-language instructions, the attackers tailored their phishing attempt to a specific geographical region, increasing the likelihood of success.
Sophisticated Malware Delivery: The use of HijackLoader to deploy RemCos RAT showcases the attackers' advanced techniques, enabling remote access to compromised systems for further exploitation.
Conclusion
This campaign underscores the need for vigilance and robust cybersecurity measures, as attackers continue to refine their tactics to bypass defenses and exploit trusted brands.
Excalibur AI conducted the research leading to the discovery of these threats. For detailed information on Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), please contact cyber@excalibur.sg.
Contact Information
For more information and inquiries about this research, please contact:
Website: www.excalibur.sg
Checkout our BrandGuard360 for your brand protection needs
Stay vigilant and protect your organization from evolving cyber threats.
Request our comprehensive report to safeguard your digital assets and ensure robust cybersecurity measures are in place. You may email us or write " I am interested" in the comments and we will share it with you.
Comments