Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity via Spearphishing Website

Summary

On July 24, 2024, CrowdStrike Intelligence identified an unattributed spearphishing attempt delivering an inauthentic CrowdStrike Crash Reporter installer via a website impersonating a German entity. The website was registered with a sub-domain registrar. Website artifacts indicate the domain was likely created on July 20, 2024, one day after an issue present in a single content update for CrowdStrike’s Falcon sensor — which impacted Windows operating systems — was identified and a fix was deployed.

After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer. The installer contains CrowdStrike branding, German localization and a password required to continue installing the malware.

Details

Spearphishing Page

The threat actor leveraged a spearphishing page hosted on a URL with the format http[:]//{German Entity}.it[.]com/crowdstrike/. This spearphishing page presented the targeted victim with a download link to a ZIP file containing a malicious InnoSetup installer (Figure 1). The website it[.]com is a legitimate domain registrar, and the threat actor likely created the spearphishing page after the Falcon sensor update was deployed.

Because the website provider is a domain registrar, CrowdStrike Intelligence could not determine when the subdomain was created. However, the webpage’s timestamp indicates the InnoSetup1 installer was created on July 20, 2024 (hotfix vom 20.07.2024).

The spearphishing page displays the branding of the targeted company and CrowdStrike. It requests that the victim download CrowdStrike Crash Reporter, a tool not developed by CrowdStrike or distributed through official CrowdStrike communication channels (Figure 1).

Figure 1. Phishing page displaying the targeted company’s and CrowdStrike’s branding

 

The JS serving the malicious executable masquerades as JQuery v3.7.1 — an open-source JS library — at the HTTP endpoint /crowdstrike/media/jquery-3.7.1.min.js. The code used to serve the malicious executable is contained at the beginning of the file and appended with the benign code for JQuery v3.7.1, likely in an attempt to evade detection.

The spearphishing site calls the function gApiAsync, which is defined in jquery-3.7.1.min.js; the first parameter is a relative path to the file media/disabled.svg. After clicking the download button, the user triggers the function d(), which executes the gApiAsync function (Figure 2).

Figure 2. OnClick event triggering the download

Figure 2. OnClick event triggering the download

 

Next, the JS makes an HTTP GET request for the file media/disabled.svg, which is then parsed using a regex that searches for any text not in double quotes after the pattern AAAAAAAAAAAAAAw. The resulting string is Base64-decoded and provided to the user to download via a JS Blob2 as a Portable Executable (PE) file. If any errors occur, the developer console displays error messages masquerading as issues with JQuery v3.7.1 (Figure 3).

Figure 3. JS used to deobfuscate delivered executable

Figure 3. JS used to deobfuscate delivered executable

Installer

The inauthentic installer (SHA256 hash: a7516a15e1857996373191795c79244c8f5c8deb1f17ba5dbadeac28e18ec1c7) has the filename CrowdStrike_Crash_Reporter_Setup_8.R3.exe and uses German-language prompts, likely reflecting the threat actor’s targeting profile (Figure 4).

Figure 4. InnoSetup initial installer window

 

After starting the installation, the victim is prompted to input a “Backend-Server”. Failure to provide the specific input results in an error message (machine translation: A connection error has occurred), preventing the installation from completing (Figures 5 and 6). However, initial analysis indicates the installer did not perform any connectivity checks.

Figure 5. URL check

 

Figure 6. Error message

 

The InnoSetup installer is password-protected and contains an InnoSetup script (install_script.iss) and two additional files (csmon8.dat and Java8Runtime.exe). As of this writing, CrowdStrike Intelligence could not recover the final payload but did recover the file metadata (Table 1).

PathFile SizeFile Creation Timestamp (UTC)
{localappdata}\Java\csmon8.dat2497362024-07-23 13:28
{localappdata}\Java\Java8Runtime.exe242161362024-07-23 13:02
install_script.iss27502024-07-24 16:46

Table 1. Malicious InnoSetup Installer listed contents

 

The InnoSetup Installer executable file-creation timestamp (2024-07-12 07:26:53 UTC) aligns with the date of the sensor content update (July 19, 2024) and the creation timestamps of the installer files, likely indicating the threat actor used timestomping as an anti-forensic technique.

Assessment

CrowdStrike Intelligence assesses with high confidence that the attack is likely targeted based on the following observations:

  • The victim is required to enter a specific password (under the pretext of a “Backend-Server”) that is likely only known to the targeted entities
  • Using a German-language spearphishing website and prompts for the installer indicates the actors are only targeting German-speaking CrowdStrike customers affected by the Falcon sensor content issue

The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign. For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.

Recommendations

These recommendations can be implemented to help protect against the activity described in this report.

  • Only accept updates delivered through official CrowdStrike channels, and adhere to CrowdStrike support teams’ technical guidance
  • Check website certificates on the download page to ensure downloaded software originates from a legitimate source
  • Train users to avoid executing files from untrusted sources
  • Enable download protection that can issue warnings about potentially harmful websites or downloads

Appendix

Falcon LogScale Queries

These Falcon LogScale queries detect the activity described in this report.

The following Falcon LogScale query hunts for suspicious filenames associated with the inauthentic CrowdStrike installer identified in this alert:

event_platform=Win | in(field=FileName, values=["Crowdstrike_crash_reporter_v1.1-R7.zip", "CrowdStrike_Crash_Reporter_Setup_8.R3.exe", "CrowdStrike_Crash_Reporter_Setup_8.R3.tmp"])

The following Falcon LogScale query hunts for HTTP GET requests to /media/disabled.svg that contain the obfuscated payload:

event_platform=Win 

 

| #event_simpleName=*HttpRequest*

| concat([HttpRequestHeader, HttpsRequestHeader], as="combined")

| combined = /^GET \/media\/disabled.svg \/ HTTP/

Indicators of Compromise (IOCs)

This table details the IOCs related to the information provided in this report.

DescriptionDetailTimestamp (UTC)
ZIP lure (Crowdstrike_crash_reporter_v1.1-R7.zip)41143b2e4bbb9279ba0bbb375748530cc4887cc965967e5c0cc9a39dc44937d62024-07-23 13:41:54 (modified)
Malicious InnoSetup installer executable (CrowdStrike_Crash_Reporter_Setup_8.R3.exe)a7516a15e1857996373191795c79244c8f5c8deb1f17ba5dbadeac28e18ec1c72024-07-12 07:26:53 (compiler timestamp; likely timestomped)
Delphi executable (CrowdStrike_Crash_Reporter_Setup_8.R3.tmp)80304da1e333ed581378797ad8b0b8d81a8ac5928b83423702f0de30f16162252024-07-12 07:26:52  (compiler timestamp; likely timestomped)
Spearphishing URLhttp[:]//{German Entity}.it[.]com/crowdstrike/n/a
Obfuscated version of Crowdstrike_crash_reporter_v1.1-R7.ziphttp[:]//{German Entity}.it.com/crowdstrike/media/disabled.svgn/a
Spearphishing domain IPv44.180.4[.]19n/a
JS downloader99bb0f05fd135218a5c4b8cac42e58274086b543d001d7227c8f6a2b7722f425n/a
Likely next-stage executable Java8Runtime.exe82ef869e8f7accde731f8c289f19436347a30af1d53c8f61bde5bac8bc91ad1aunknown

Table 2. IOCs

MITRE ATT&CK

This table details the tactics and techniques described in this report.

TacticTechniqueObservable
Initial AccessT1566.001 – Phishing: Spearphishing AttachmentThe spearphishing page heavily targeted a German entity and delivered an inauthentic CrowdStrike crash-reporting application
T1566.002 – Phishing: Spearphishing LinkThe spearphishing link was likely sent to the German entity over email
ExecutionT1204.002 – User Execution: Malicious FileThe user is required to enter a password to decrypt the installer contents for the next stages
Defense EvasionT1036 – MasqueradingThe infection chain masquerades as JQuery v3.7.1 and Java
T1140 – Deobfuscate/Decode Files or InformationThe JS on the spearphishing page deobfuscates the inauthentic CrowdStrike crash-reporting application

Table 3. Spearphishing MITRE ATT&CK mapping

 

Additional Resources

Read more blog posts from CrowdStrike Intelligence regarding the Falcon content issue: 

 

1 https[:]//github[.]com/jrsoftware/issrc

2 https[:]//developer.mozilla[.]org/en-US/docs/Web/API/Blob