Date: 07/24/2024
Severity: High
Summary
The incident involving the fake CrowdStrike recovery manual describes how threat actors distributed a malicious software known as an unidentified stealer by impersonating CrowdStrike, a prominent cybersecurity company. The deception involved using a counterfeit recovery document to trick users into downloading and installing the malware, underscoring the ongoing risks of phishing and malware distribution tactics by sophisticated threat actors.
Indicators of Compromise (IOC) List
URL/Domains | http://172.104.160.126:5000/uploadss http://172.104.160.126:8099/payload2.txt |
IP Address | 172.104.160.126 |
Hash |
00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99
3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8
4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domains | userdomainname like "http://172.104.160.126:8099/payload2.txt" or userdomainname like "http://172.104.160.126:5000/uploadss" or url like "http://172.104.160.126:8099/payload2.txt" or url like "http://172.104.160.126:5000/uploadss" |
IP Address | dstipaddress IN ("172.104.160.126") or ipaddress IN ("172.104.160.126") or publicipaddress IN ("172.104.160.126") or srcipaddress IN ("172.104.160.126") |
Hash |
sha256hash IN ("3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8","803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61","4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a","5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721") |
Reference:
https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/