CrowdStrike Intelligence recently identified a phishing campaign using the domain crowdstrike-office365[.]com to distribute Lumma Stealer malware disguised as a Falcon sensor update.
On July 23, 2024, CrowdStrike Intelligence flagged the domain crowdstrike-office365[.]com, created to impersonate the cybersecurity firm and distribute malicious ZIP and RAR files containing a Microsoft Installer (MSI) loader disguised as a fix for the problems caused by the faulty update delivered to customers late last week. The loader installs Lumma Stealer, packed with CypherIt.
The malicious domain was registered earlier this week in an obvious attempt by the cybercriminals to take advantage of the issues people faced with CrowdStrike’s Falcon sensor. Specifically, a faulty Falcon sensor update pushed on July 19, 2024, caused a massive IT outage, impacting over 8.5 million Windows computers worldwide. This update issue led to widespread disruptions, including Blue Screens of Death (BSOD) and operational halts across various sectors globally.
Unfortunately, cybercriminals of all calibers have been attempting to exploit the situation by sending novel or documented malware via phishing messages to millions of system admins. Lumma Stealer is a commodity information stealer that exfiltrates data from browsers, including credentials, cookies, autofill data, and browser-extension information. The malware connects to a command-and-control (C2) server at iiaiyitre[.]pa, among other C2 URLs, and appears to be associated with a recent spam flood and voice phishing campaign targeting corporate networks.
Technical breakdown
The domain crowdstrike-office365[.]com served a malicious ZIP file containing the MSI file WidowsSystem-update.msi, which acts as a loader. The loader extracts and executes a self-extracting RAR (SFX) file named plenrco.exe, which in turn unpacks another RAR SFX archive containing an NSIS installer named SymposiumTaiwan.exe.
CrowdStrike
Upon execution, the MSI loader shows a decoy installation and executes the SFX file plenrco.exe with a specific command line. This unpacks the NSIS installer SymposiumTaiwan.exe, which contains fragments of a legitimate AutoIt executable and a compiled AutoIt script, as well as a batch script loader named Open.cmd. The batch script checks for security processes and, if detected, deletes itself.
The NSIS installer runs a batch script to compile and execute the AutoIt script, which is heavily obfuscated using string obfuscation techniques. The script performs several anti-analysis checks and, depending on system architecture, decrypts and executes the final Lumma Stealer payload.
Recommendations
CrowdStrike says this phishing attack, like others before it, is designed to exploit their users through a fake update mechanism supposed to resolve problems on systems impacted by the bad Falcon update.
To protect against these threats, the firm recommends the following:
- Only accept updates from official CrowdStrike channels.
- Train users to avoid executing files from untrusted sources.
- Verify website certificates to ensure software authenticity.
- Enable browser download protection.
- Consider blocking AutoIt executables if not required.
French Authorities Dismantle PlugX Botnet Ahead of Paris 2024 Olympics
Leave a Reply