he cybersecurity titan CrowdStrike finds itself under intense scrutiny for instigating global IT turmoil by deploying a flawed update to Windows devices. Now, the company cautions that malevolent entities are exploiting this predicament to propagate Remcos RAT malware to its clientele in Latin America, masquerading it as a remedial hotfix.
The malevolent stratagem entails distributing a ZIP archive dubbed “crowdstrike-hotfix.zip,” which harbors a malware loader known as Hijack Loader (also referred to as DOILoader or IDAT Loader). This loader subsequently initiates the Remcos RAT payload.
Moreover, the archive encompasses a text file (“instrucciones.txt”) bearing instructions in Spanish, imploring recipients to execute a file (“setup.exe”) to rectify the issue.
“Evidently, the Spanish filenames and directives within the ZIP archive suggest this campaign predominantly targets Latin America-based (LATAM) CrowdStrike clients,” the company remarked, ascribing the operation to a suspected e-crime faction.
On Friday, CrowdStrike conceded that a routine sensor configuration update dispatched to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently precipitated a logic error, culminating in the dreaded Blue Screen of Death (BSoD). This mishap rendered numerous systems inoperative, causing significant disruptions for businesses.
The incident affected customers utilizing Falcon sensor for Windows version 7.11 and higher, who were online between 04:09 and 05:27 a.m. UTC.
Opportunistic adversaries swiftly exploited the chaos instigated by the event, setting up typosquatting domains impersonating CrowdStrike and offering services to afflicted companies in exchange for cryptocurrency payments.
Affected customers are advised to “ensure they are communicating with CrowdStrike representatives through official channels and adhere to the technical guidance provided by the CrowdStrike support teams.”
