The infamous Blue(screen) Friday caused widespread concern, commotion, and, for attackers, convenience. Threat actors were quick to take advantage of the CrowdStrike outage, launching attacks that preyed on victims’ hysteria. In this blog, we examine an infostealer malware campaign conducted by suspected Iranian threat actor, Handala. The attack targets Israeli companies, leveraging the CrowdStrike incident to lure victims into downloading a fake update.
The Attack Flow
Targets first receive an email, appearing to come from CrowdStrike’s support team. Based on the domain ending in “.vc” as opposed to “.com,” it is clear from the onset that there is nothing helpful about this sender.
The email claims to provide a CrowdStrike update, containing a PDF with instructions and a workaround tool.
Upon opening the PDF, the user is led to a URL containing the file “CrowdStrike.exe”.
The file contains infostealer-like malware that steals system credentials. Various processes are executed to create directories and launch potentially malicious commands. Additionally, there are registry modifications and HTTP requests indicating malicious activity.
What really stands out, however, is the creation of files in the user’s temporary folder with unusual extensions like .pgc, .fli, and .abr, which are used to hide malicious activity. Changes in the registry are used to evade defenses, disable file tracking, and modify internet settings to bypass navigation proxies. These requests indicate communication with Command & Control servers.
Key TTPs Used by the Malware
The most significant group of techniques the infostealer employs is TA0006 Credential Access. This tactic involves searching for unsecured credentials within the system using legitimate Windows tools. Another malicious indicator is the search for information from installed web browsers to steal user credentials. If there are Multi-Factor Authentication (MFA) session cookies stored, they will be sent to the attacker’s Command & Control IPs.
Other techniques to evade malware detection include T1082 System Information Discovery, where system data like mouse, keyboard, Windows installation, and language are read to adapt to the target using geofencing techniques. An additional technique involves the installation of trusted certificates to evade the operating system’s defenses and redirect traffic to malicious sites without being detected.
Process Tree Created by the Malware
Below is the process tree created by the malware within the system, illustrating the sequence of activities and techniques used to compromise the system.
The Takeaway
This campaign highlights not just the danger posed by tech outages, but also the added exploitation users face as a result. In this case, the threat actor group Handala abused users’ existing vulnerability to manipulate victims and deliver devastating malware.
Contact Perception Point for more information on how to protect your organization from malware.
Mitre ATT&CK TTPs:
Execution:
T1204 user execution
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1059.003 Windows Command Shell
Defense evasion:
T1562 Impair Defenses
T1036 Masquerading
T1036.003 Rename System Utilities
T1036.005 Match Legitimate Name or Location
T1497 Virtualization/Sandbox Evasion
T1497.003 Time Based Evasion
Credential access:
T1552 Unsecured Credentials
T1552.001 Credentials In Files
Discovery:
T1012 Query Registry
T1082 System Information Discovery
T1518 Software Discovery
T1016 System Network Configuration Discovery
T1057 Process Discovery
T1614 System Location Discovery
T1497 Virtualization/Sandbox Evasion
T1497.003 Time Based Evasion
Command & Control:
T1102 Web Service
