Cyber999 Advisories

Overview Contact Advisories Incident Statistics
Share this page :
20 July 2024     Advisory

MA-1105.072024: MyCERT Advisory - Technical Findings: Phishing and Malware URLs Exploiting Recent CrowdStrike Incident

1.0 Introduction

MyCERT has received information from multiple sources regarding the rise in phishing attacks based on recent CrowdStrike incidents exploiting phishing domains, command-and-control (C2) IP addresses, and malware binaries. These attacks are potentially crafted to deceive users into divulging sensitive information and installing malicious software in the midst of the recent CrowdStrike incident.

2.0 Nature of Phishing Attacks

  1. Phishing Domains: Fraudulent domains mimic legitimate websites to deploy malicious software (malware) or steal user credentials.
  2. Command Center (C2): Attackers use C2 servers to control compromised devices and exfiltrate data.
  3. Malware: Payload usually attached through websites or emails that deploy in devices for malicious intentions.


Figure 1: Example of Potential CrowdStrike Phising website 

3.0  Potential Indicators of Compromise (IoC)

No

Value

Type

Additional Information

1

crowdstrikefix[.]com

Domain

n/a

2

supportportal-crowdstrike-com[.]translate[.]goog

Domain

n/a

3

crashstrike[.]com

Domain

n/a

4

crowdstrikebluescreen[.]com

Domain

n/a

5

crowdstrike-helpdesk[.]com

Domain

n/a

6

crowdfalcon-immed-update[.]com

Domain

n/a

7

crowdstrike-bsod[.]com

Domain

n/a

8

fix-crowdstrike-bsod[.]com

Domain

n/a

9

fix-crowdstrike-apocalypse[.]com

Domain

n/a

10

crowdstrikedown[.]site

Domain

n/a

11

crowdstrike0day[.]com

Domain

n/a

12

crowdstrikedoomsday[.]com

Domain

n/a

13

crowdstrikeoutage[.]info

Domain

n/a

14

crowdstrikecommuication[.]app

Domain

n/a

15

crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com

Domain

n/a

16

c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

SHA256

Crowdstrike-hotfix.zip

17

be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349

SHA256

battuta.flv

18

6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2

SHA256

datastate.dll

19

d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

SHA256

madbasic_.bpl

(HijackLoader payload)

20

52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

SHA256

maddisAsm_.bpl

21

835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

SHA256

madexcept_.bpl

22

931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6

SHA256

maidenhair.cfg

(HijackLoader configuration)

23

b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

SHA256

rtl120.bpl

24

5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9

SHA256

Setup.exe

25

02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

SHA256

sqlite3.dll

26

b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

SHA256

vcl120.bpl

27

2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

SHA256

vclx120.bpl

28

4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0

SHA256

instrucciones.txt

29

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Proofpoint Emerging Threats Open

Suricata / Snort Alert Rule

30

213.5.130.58[:]443

IP address and TCP Port number

RemCos (Trojan) C2

4.0 Recommendations
To safeguard your organization against the recent surge in phishing attacks involving phishing domains, C2 IPs, and malware binaries, it is crucial to monitor and protect based on the provided Indicators of Compromise (IOCs).

Generally, CyberSecurity Malaysia advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web:  https://www.mycert.org.my  
Twitter:  https://twitter.com/mycert  
Facebook:  https://www.facebook.com/mycert.org.my

5.0 References

  1. https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update
  2. https://www.ncsc.gov.uk/news/major-it-outage
  3. https://www.virustotal.com/gui/file/c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
  4. https://www.virustotal.com/graph/d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea
Search
Type
Archives
logo
CyberSecurity Malaysia is the national cyber security specialist agency under the purview of the Ministry of Digital (KD)
 
Select User Category
Contact Us

  • CyberSecurity Malaysia,
    Level 7 Tower 1, Menara Cyber Axis, Jalan Impact,
    63000 Cyberjaya, Selangor Darul Ehsan, Malaysia.

  • enquiry@cybersecurity.my

  • +603 - 8800 7999

  • +603 - 8008 7000

COPYRIGHT © CYBERSECURITY MALAYSIA

CONTACT US | DISCLAIMER | PERSONAL DATA PROTECTION NOTICE | SITEMAP

TOP
ASK Byte
Chatbot Portal

Hi, I am ASK Byte. Please submit your questions about the portal and I will try to get answers from online knowledge stores.

Hi, Saya Admin Chatbot. Saya sedia chat dengan anda secara terus. Bagaimana saya boleh membantu anda?

Click the button below to interact with the CSM chatbot

Proceed