Back

Likely eCrime Actor Capitalizing on Falcon Sensor Issues

July 29, 2024, 12:34 p.m.

Tags

phishing
remcos
hijackloader
2024-07-29
falcon
latam

External References

https://www.crowdstrike.com/

https://otx.alienvault.com/

Description

A cybercrime group has leveraged a content update issue with the CrowdStrike Falcon sensor to distribute malicious files targeting Latin American customers. The campaign involves a ZIP archive named 'crowdstrike-hotfix.zip' containing a HijackLoader payload that loads RemCos malware, using Spanish filenames and instructions, indicating it specifically aims at CrowdStrike clients in that region.

Date

Published Created Modified
July 29, 2024, 12:16 p.m. July 29, 2024, 12:16 p.m. July 29, 2024, 12:34 p.m.

Indicators

d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349

b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6

835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2

5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9

52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0

48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184

2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

213.5.130.58

Attack Patterns

HijackLoader

Remcos

T1195.002

T1086

T1091

T1059.005

T1059.007

T1204.002

T1105