Malware attacks have been launched by threat actors against Germany-based CrowdStrike customers through a new spear-phishing campaign leveraging a domain registered shortly after the widespread global IT outage brought upon by the botched update of its Falcon platform, Security Affairs reports.
Such a domain, which purported to be from a German entity and used an it[.]com subdomain, lured targets into downloading a fraudulent CrowdStrike Crash Reporter tool as a ZIP file with a trojanized InnoSetup installer, according to an analysis from CrowdStrike's Counter Adversary Operations team.
Installation enabled executable injection into a JavaScript file to conceal malicious activity, as well as the appearance of a prompt for "Backend-Server" input, which if not provided would prevent the completion of compromise. No further information regarding the identity of the attackers was provided but CrowdStrike researchers noted their elevated operations security awareness.
"Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution," said the report.
