Prominent security firm CrowdStrike, under fire for causing cyber outages around the world with a faulty update on Windows devices, is now warning that unidentified malicious cybercriminals are exploiting the situation to distribute the Remcos RAT malware to its customers in Latin America under the guise of a hotfix.
Remcos RAT, in fact, exploits the chaotic situation accidentally created by CrowdStrike to infiltrate users’ devices: here’s how.
How Remcos RAT Works According to Cyber Security Experts
The attack chains involve the distribution of a ZIP file named “crowdstrike-hotfix.zip” that contains a malware loader called Hijack Loader (also known as DOILoader or IDAT Loader) which, in turn, launches the Remcos RAT payload.
Notably, the archive file also includes a text file (“instrucciones.txt”) with instructions in Spanish that prompt recipients to run an executable file (“setup.exe”) to recover from the problem.
“It is significant that the file names and Spanish instructions within the ZIP archive indicate that this campaign is likely targeting CrowdStrike customers based in Latin America (LATAM),” the company said, attributing the campaign to a suspected cybercriminal group.
On Friday, CrowdStrike acknowledged that a routine sensor configuration update pushed to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a blue screen of death (BSoD), rendering numerous systems unusable and throwing enterprises into chaos.
The event affected customers running Falcon sensor version 7.11 and later for Windows who were online between 04:09 and 05:27 UTC.
Remcos RAT does not come “alone”, it also requires a bit of social engineering
Malicious cybercriminals wasted no time capitalizing on the chaos created by the event, creating typosquatting domains pretending to be members of CrowdStrike and advertising services to affected businesses in exchange for payment in cryptocurrency.
Affected customers are advised to “ensure they communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support teams.”
Microsoft, which has partnered with CrowdStrike on recovery efforts, said the digital meltdown has crippled 8.5 million Windows devices globally, less than 1 percent of all Windows machines.
But not all was lost.
The development on the Remcos RAT issue, or rather CrowdStrike (which has once again brought to the fore the risks associated with reliance on monocultural supply chains) marks the first time that the full impact and scale of what is arguably the most disruptive IT event in history has been made officially public; Mac and Linux devices were not affected by the outage.
“This incident demonstrates the interconnected nature of our broader ecosystem — global cloud providers, software platforms, security vendors and other software vendors, and customers,” the tech giant said. “It’s also a reminder of how important it is for all of us in the technology ecosystem to prioritize operations with secure deployments and disaster recovery using existing mechanisms.”
The importance of more “home-grown” systems
The CrowdStrike event that among other things allowed the Remcos RAT to infiltrate, highlighted the importance of minimizing dependence on non-European cloud systems; this incident underscores the need for European countries to develop and implement their own cloud computing technology platforms and infrastructures.
Relying on external providers not only exposes European companies and institutions to risks of service disruptions and cyber attacks, but also raises concerns about digital sovereignty and the protection of sensitive data.
Creating and supporting European solutions could not only improve security and resilience against similar events, but also promote technological innovation and economic independence within the European Union; in this context, it is essential that European governments and industries work together to invest in cloud-native infrastructure, developing local expertise and adopting rigorous security standards to prevent and mitigate incidents like CrowdStrike.
However, cyber sovereignty should be discussed elsewhere.