Germany-based CrowdStrike customers are being targeted by a new spear-phishing campaign leveraging a domain registered shortly after the widespread global IT outage brought upon by the botched update of CrowdStrike's Falcon platform, Security Affairs reported.
The domain, which is purported to be from a German entity and used an it[.]com subdomain, lured targets into downloading a fraudulent CrowdStrike Crash Reporter tool as a ZIP file with a Trojanized InnoSetup installer, according to an analysis from CrowdStrike's Counter Adversary Operations team.
Installation enabled executable injection into a JavaScript file to conceal malicious activity, as well as the appearance of a prompt for "Backend-Server" input, which, if not provided, would prevent the completion of compromise.
No further information regarding the identity of the attackers was provided, but CrowdStrike researchers noted their elevated operations security awareness. "Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution," said the report.
