Malicious Falcon Crash Reporter installer distributed to Germans

• Malefactors behind the attack have skillfully imitated a legitimate German entity through a deceptive website that leverages CrowdStrike’s branding.
• CrowdStrike CEO says that over 97% of Windows sensors are back online and affected 8.5 million systems.

Following the disruption caused by a flawed CrowdStrike Falcon Sensor update, which led to significant operational interruptions, including the infamous “Blue Screen of Death,” a new and alarming spear-phishing attack emerged, targeting users in Germany.

CrowdStrike, a prominent cybersecurity firm, detected this spear-phishing campaign using a counterfeit Crash Reporter installer to deliver malware.

The malefactors behind the attack have skillfully imitated a legitimate German entity through a deceptive website that leverages CrowdStrike’s branding, further complicating the cybersecurity landscape.

It is essential to note that the software associated with this phishing attempt was not developed or distributed by CrowdStrike, emphasising the need for vigilance among users who are increasingly susceptible to such machinations.

Orchestrated attack

The orchestrated attack is noteworthy for its execution timing, as it likely capitalized on the chaos that ensued from the previous day’s outage. The domain associated with the phishing attempt was created shortly after the faulty update diminished the functionality of countless systems, illustrating how cybercriminals adeptly exploit crises to advance their nefarious goals.

The phishing page presented users with a seemingly legitimate opportunity to download a ZIP file containing the malicious InnoSetup installer, further obscured by JavaScript disguised as JQuery. The localised elements in German heightened its credibility, making it all the more dangerous.

As noted by CrowdStrike’s Counter Adversary Operations team, the impersonated website utilised a format that suggested authenticity in its approach. Though the attack was localised, the implications were globally relevant, resonating with the extensive impact of the July 19 outage that had already strained various sectors, from transportation to finance.

The outage, attributed to a defect in the CrowdStrike Falcon Sensor, affected 8.5 million systems, causing considerable operational disruption and financial repercussions, estimated between half a million and more than $1 billion.

In the wake of this incident, CrowdStrike CEO George Kurtz said that over 97 per cent of Windows sensors are back online after an update from the cybersecurity firm caused one of the world’s biggest IT outages.

“To our customers still affected, please know we will not rest until we achieve full recovery,” Kurtz said in a LinkedIn post.

As the situation evolves, it becomes imperative for individuals and organisations to remain vigilant against phishing attempts, especially in times of crisis when they are at increased risk.