Cybercriminals Distribute Remcos RAT by Leveraging CrowdStrike Update Incident

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/23/2024

    Severity: High

    Summary

    Cybercriminals exploited the CrowdStrike update incident to distribute the Remcos Remote Access Trojan (RAT). This tactic involved leveraging the confusion and vulnerabilities stemming from the incident to spread malware, underscoring the opportunistic nature of cyber threats in exploiting current events for malicious purposes.

    Indicators of Compromise (IOC) List

    IP Address

    213.5.130.58

    Hash

    1e84736efce206dc973acbc16540d3e5

9d255e04106ba7dcbd0bcb549e9a5a4e

7daa2b7fe529b45101a399b5ebf0a416

84bc072f8ea30746f0982afbda3c638f

28f0ccf746f952f94ff434ca989b7814

21068dfd733435c866312d35b9432733

630991830afe0b969bd0995e697ab16e

849070ebd34cbaedc525599d6c3f8914

da03ebd2a8448f53d1bd9e16fc903168

fef212ec979f2fe2f48641160aadeb86b83f7b35

a9becb85b181c37ee5a940e149754c1912a901f1

fd73f3561d0cebe341a6c380681fb08841fa5ce6

f39343933ff3fc7934814d6d3b7b098bc92540a0

506e85d2de6377492d90b98aa20663b0ff3ce32a

3d5336c676d3dd94500d0d2fe853b9de457f10fd

feda243d83fba15b23d654513dc1f0d70787ba18

b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa

889b4f487d8bba6af6ff6eb7f5afd74957586c49

c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2

835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address

    dstipaddress IN ("213.5.130.58") or ipaddress IN ("213.5.130.58") or publicipaddress IN ("213.5.130.58") or srcipaddress IN ("213.5.130.58")

    Hash

    md5hash IN ("849070ebd34cbaedc525599d6c3f8914","9d255e04106ba7dcbd0bcb549e9a5a4e","1e84736efce206dc973acbc16540d3e5","21068dfd733435c866312d35b9432733","84bc072f8ea30746f0982afbda3c638f","630991830afe0b969bd0995e697ab16e","da03ebd2a8448f53d1bd9e16fc903168","28f0ccf746f952f94ff434ca989b7814","7daa2b7fe529b45101a399b5ebf0a416")

sha1hash IN ("506e85d2de6377492d90b98aa20663b0ff3ce32a","fef212ec979f2fe2f48641160aadeb86b83f7b35","b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa","889b4f487d8bba6af6ff6eb7f5afd74957586c49","f39343933ff3fc7934814d6d3b7b098bc92540a0","3d5336c676d3dd94500d0d2fe853b9de457f10fd","fd73f3561d0cebe341a6c380681fb08841fa5ce6","a9becb85b181c37ee5a940e149754c1912a901f1","feda243d83fba15b23d654513dc1f0d70787ba18")

sha256hash IN ("c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2","b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628","2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed","d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea","02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5","6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2","b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3","835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299","52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006")

    Reference:

    https://www.rewterz.com/threat-advisory/cybercriminals-distribute-remcos-rat-by-leveraging-crowdstrike-update-incident-active-iocs

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.