Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity

July 31, 2024, 10:59 a.m.

Description

On July 24, 2024, CrowdStrike Intelligence identified an unattributed spearphishing attempt delivering an inauthentic installer impersonating CrowdStrike's Crash Reporter through a website targeting a German entity. The site utilized JavaScript obfuscation to deliver the malicious installer, which contained CrowdStrike branding, German localization, and a password requirement. The actor employed anti-forensic techniques like subdomain registration and timestomping, indicating targeted, operational security-conscious behavior.

External References

https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-spearphishing/
https://otx.alienvault.com/pulse/66aa163799038ab1caf293da
Tags
obfuscation
impersonation
spearphishing
installer
2024-07-31

Date

  • Created: July 31, 2024, 10:47 a.m.
  • Published: July 31, 2024, 10:47 a.m.
  • Modified: July 31, 2024, 10:59 a.m.

Indicators

  • a7516a15e1857996373191795c79244c8f5c8deb1f17ba5dbadeac28e18ec1c7
  • 99bb0f05fd135218a5c4b8cac42e58274086b543d001d7227c8f6a2b7722f425
  • 80304da1e333ed581378797ad8b0b8d81a8ac5928b83423702f0de30f1616225
  • 82ef869e8f7accde731f8c289f19436347a30af1d53c8f61bde5bac8bc91ad1a
  • 41143b2e4bbb9279ba0bbb375748530cc4887cc965967e5c0cc9a39dc44937d6
Download all indicators here!

Attack Patterns

  • T1566.002
  • T1204.002
  • T1566.001
  • T1036
  • T1140

Additional Informations

  • Germany