#FactCheck: An image shows Sunita Williams with Trump and Elon Musk post her space return.

Overview:

After the blackout on July 19, 2024, which affected CrowdStrike’s services worldwide, cybercriminals began to launch many phishing attacks and distribute malware. These activities mainly affect CrowdStrike customers, using the confusion as a way to extort information through fake support sites. The analysis carried out by the Research Wing of CyberPeace and Autobot Infosec has identified several phishing links and malicious campaigns.

The Exploitation:

Cyber adversaries have registered domains that are similar to CrowdStrike’s brand and have opened fake accounts on social media platforms. These are fake platforms that are employed to defraud users into surrendering their personal and sensitive details for use in other fraudulent activities.

Phishing Campaign Links:

• crowdstrike-helpdesk[.]com
• crowdstrikebluescreen[.]com
• crowdstrike-bsod[.]com
• crowdstrikedown[.]site
• crowdstrike0day[.]com
• crowdstrikedoomsday[.]com
• crowdstrikefix[.]com
• crashstrike[.]com
• crowdstriketoken[.]com
• fix-crowdstrike-bsod[.]com
• bsodsm8r[.]xamzgjedu[.]com
• crowdstrikebsodfix[.]blob[.]core[.]windows[.]net
• crowdstrikecommuication[.]app
• fix-crowdstrike-apocalypse[.]com
• supportportal-crowdstrike-com[.]translate[.]goog
• crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com
• crowdstrikeoutage[.]info
• clownstrike[.]co[.]uk
• crowdstrikebsod[.]com
• whatiscrowdstrike[.]com
• clownstrike[.]co
• microsoftcrowdstrike[.]com
• crowdfalcon-immed-update[.]com
• crowdstuck[.]org
• failstrike[.]com
• winsstrike[.]com
• crowdpass[.]com

In one case, a PDF file is being circulated with CrowdStrike branding, saying ‘Download The Updater,’ which is a link to a ZIP file. The ZIP file is a compressed file that has an executable file with a virus. This is a clear sign that the hackers are out to take advantage of the current situation by releasing the malware as an update.

‍

‍

‍

In another case, there is a malicious Microsoft Word document that is currently being shared, which claims to offer a solution on how to deal with this CrowdStrike BSOD bug. But there is a hidden risk in the document. When users follow the instructions and enable the embedded macro, it triggers the download of an information-stealing malware from a remote host. This is a form of malware that is used to steal information and is not well recognized by most security software. Also it sends the stolen data to the samesame remote host but with different port number, which likey works as the CnC server for the campaign.

• Name New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows[.]docm
• MD5 dd2100dfa067caae416b885637adc4ef
• SHA-1 499f8881f4927e7b4a1a0448f62c60741ea6d44b
• SHA-256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  
• URLS http://172.104.160[.]126:8099/payload2.txt, http://172.104.160[.]126:5000/Uploadss

‍

Recent Outage Impact:

On July 19, 2024, CrowdStrike faced a global outage that originated from an update of its Falcon Sensor security software. This outage affected many government organizations and companies in different industries, such as finance, media, and telecommunications. The event led to numerous complaints from the users who experienced problems like blue screen of death and system failure. Although, CrowdStrike has admitted to the problem and is in the process of fixing it. 

Preventive Measures:

• Organize regular awareness sessions to educate the employees about the phishing techniques and how they can avoid the phishing scams, emails, links, and websites.
• MFA should be used for login to the sensitive accounts and systems for an improvement on the security levels.
• Make sure all security applications including the antivirus and anti-malware are up to date to help in the detection of phishing scams.
• This includes putting in place of measures such as alert on account activity or login patterns to facilitate early detection of phishing attempts.
• Encourage employees and users to inform the IT department as soon as they have any suspicions regarding phishing attempts.

Conclusion:

The recent CrowdStrike outage is a perfect example of how cybercriminals take advantage of the situation and user’s confusion and anxiety. Thus, people and organizations can keep themselves from these threats and maintain the confidentiality of their information by being cautious and adhering to the proper standards. To get the current information on the BSOD problem and the detailed instructions on its solution, visit CrowdStrike’s support center. Reported problems should be handled with caution and regular backup should be made to minimize the effects.

References:

• https://app.any.run/tasks/2c0ffc87-4059-4d6f-8306-1258cf33aa54/
• https://app.any.run/tasks/48e18e33-2007-49a8-aa60-d04c21e8fa11
• https://www.virustotal.com/gui/file/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0/relations
• https://www.virustotal.com/gui/file/803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61/detection
• https://www.joesandbox.com/analysis/1478411#iocs

‍

Executive Summary:

Old footage of Indian Cricketer Virat Kohli celebrating Ganesh Chaturthi in September 2023 was being promoted as footage of Virat Kohli at the Ram Mandir Inauguration. A video of cricketer Virat Kohli attending a Ganesh Chaturthi celebration last year has surfaced, with the false claim that it shows him at the Ram Mandir consecration ceremony in Ayodhya on January 22. The Hindi newspaper Dainik Bhaskar and Gujarati newspaper Divya Bhaskar also displayed the now-viral video in their respective editions on January 23, 2024, escalating the false claim. After thorough Investigation, it was found that the Video was old and it was Ganesh Chaturthi Festival where the cricketer attended.

Claims:

Many social media posts, including those from news outlets such as Dainik Bhaskar and Gujarati News Paper Divya Bhaskar, show him attending the Ram Mandir consecration ceremony in Ayodhya on January 22, where after investigation it was found that the Video was of Virat Kohli attending Ganesh Chaturthi in September, 2023.

‍

‍

‍

The caption of Dainik Bhaskar E-Paper reads, “ क्रिकेटर विराट कोहली भी नजर आए ”

Fact Check:

CyberPeace Research Team did a reverse Image Search of the Video where several results with the Same Black outfit was shared earlier, from where a Bollywood Entertainment Instagram Profile named Bollywood Society shared the same Video in its Page, the caption reads, “Virat Kohli snapped for Ganapaati Darshan” the post was made on 20 September, 2023.

Taking an indication from this we did some keyword search with the Information we have, and it was found in an article by Free Press Journal, Summarizing the article we got to know that Virat Kohli paid a visit to the residence of Shiv Sena leader Rahul Kanal to seek the blessings of Lord Ganpati. The Viral Video and the claim made by the news outlet is false and Misleading.

Conclusion:

The recent Claim made by the Viral Videos and News Outlet is an Old Footage of Virat Kohli attending Ganesh Chaturthi the Video back to the year 2023 but not of the recent auspicious day of Ram Mandir Pran Pratishtha. To be noted that, we also confirmed that Virat Kohli hadn’t attended the Program; there was no confirmation that Virat Kohli attended on 22 January at Ayodhya. Hence, we found this claim to be fake.

• Claim:  Virat Kohli attending the Ram Mandir consecration ceremony in Ayodhya on January 22
• Claimed on: Youtube, X
• Fact Check: Fake

‍

Recent Incidents:

Recent reports are revealing a significant security threat linked to a new infostealer based malware campaign known to solely target gaming accounts. This attack has affected users of Activision and other gaming websites. The sophisticated software has captured millions of login credentials, notably from the cheats and players. The officials at Activision Blizzard, an American video game holding company, are still investigating the matter and collaborating with cheated developers to minimize the impact and inform the accounts’ residents of appropriate safety measures.

Overview:

Infostealer, also known as information stealer, is a type of malware designed in the form of a Trojan virus for stealing private data from the infected system. It can have a variety of incarnations and collect user data of various types such as browser history, passwords, credit card numbers, and login details and credentials to social media, gaming platforms, bank accounts, and other websites. Bad actors use the log obtained as a result of the collection of personal records to access the victim’s financial accounts, appropriate the victim’s online identity, and perform fraudulent actions on behalf of the victim.

Modus Operandi:

• Infosteale­r is a malicious program created to illegally obtain pe­ople's login details, like use­rnames and passwords. Its goal is to enable cybe­rattacks, sell on dark web markets, or pursue­ malicious aims.

• This malware targets both personal de­vices and corporate systems. It spre­ads through methods like phishing emails, harmful we­bsites, and infected public site­s.

• Once inside a device­, Infostealer secre­tly gathers sensitive data like­ passwords, account details, and personal information. It's designe­d to infiltrate systems being undete­cted. The stolen cre­dentials are compiled into datalogs. The­se logs are then sold ille­gally on dark web marketplaces for profit.

Analysis: 

‍

‍

Basic properties:

• MD5: 06f53d457c530635b34aef0f04c59c7d
• SHA-1: 7e30c3aee2e4398ddd860d962e787e1261be38fb
• SHA-256: aeecc65ac8f0f6e10e95a898b60b43bf6ba9e2c0f92161956b1725d68482721d
• Vhash: 145076655d155515755az4e?z4
• Authentihash: 65b5ecd5bca01a9a4bf60ea4b88727e9e0c16b502221d5565ae8113f9ad2f878
• Imphash: f4a69846ab44cc1bedeea23e3b680256
• Rich PE header hash: ba3da6e3c461234831bf6d4a6d8c8bff 
• SSDEEP: 6144:YcdXHqXTdlR/YXA6eV3E9MsnhMuO7ZStApGJiZcX8aVEKn3js7/FQAMyzSzdyBk8:YIKXd/UgGXS5U+SzdjTnE3V
• TLSH:T1E1B4CF8E679653EAC472823DCC232595E364FB009267875AC25702D3EFBB3D56C29F90
• File type: Win32 DLL executable windows win32 pepe dll
• Magic: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
• File size: 483.50 KB (495104 bytes)

Additional Hash Files:

• 160389696ed7f37f164f1947eda00830
• 229a758e232aeb49196c862655797e12
• 23e4ac5e7db3d5a898ea32d27e8b7661
• 3440cced6ec7ab38c6892a17fd368cf8
• 36d7da7306241979b17ca14a6c060b92
• 38d2264ff74123f3113f8617fabc49f6
• 3c5c693ba9b161fa1c1c67390ff22c96
• 3e0fe537124e6154233aec156652a675
• 4571090142554923f9a248cb9716a1ae
• 4e63f63074eb85e722b7795ec78aeaa3
• 63dd2d927adce034879b114d209b23de
• 642aa70b188eb7e76273130246419f1d
• 6ab9c636fb721e00b00098b476c49d19
• 71b4de8b5a1c5a973d8c23a20469d4ec
• 736ce04f4c8f92bda327c69bb55ed2fc
• 7acfddc5dfd745cc310e6919513a4158
• 7d96d4b8548693077f79bc18b0f9ef21
• 8737c4dc92bd72805b8eaf9f0ddcc696
• 9b9ff0d65523923a70acc5b24de1921f
• 9f7c1fffd565cb475bbe963aafab77ff

Indicators of Compromise:

• Unusual Outbound Network Traffic: An increase in odd or questionable outbound network traffic may be a sign that infostealer malware has accessed more data.

• Anomalies in Privileged User Account Activity: Unusual behavior or illegal access are two examples of irregular actions that might indicate a breach in privileged user accounts.

• Suspicious Registry or System File Changes: Infostealer malware may be trying to alter system settings if there are any unexpected changes to system files, registry settings, or configurations.

• Unusual  DNS queries: When communicating with command and control servers or rerouting traffic, infostealer malware may produce strange DNS queries.

• Unexpected System Patching: Unexpected or unauthorized system patching by unidentified parties may indicate that infostealer malware has compromised the system and is trying to hide its footprint or become persistent. 

• Phishing emails and social engineering attempts:  It is a  popular strategy employed by cybercriminals to get confidential data or implant malicious software. To avoid compromise, it is crucial to be wary of dubious communications and attempts of social engineering.

Recommendations:

• Be Vigilant: In today's digital world, many cybercrime­s threaten online safe­ty, Phishing tricks, fake web pages, and bad links pose­ real dangers. Carefully che­ck email sources. Examine we­bsites closely. Use top se­curity programs. Follow safe browsing rules. Update software­ often. Share safety tips. The­se steps reduce­ risks. They help kee­p your online presence­ secure.

• Regular use of Anti-Virus Software to detect the threats: Antivirus tools are vital for finding and stopping cybe­r threats. These programs use­ signature detection and be­havior analysis to identify known malicious code and suspicious activities. Updating virus de­finitions and software-patches regularly, improve­s their ability to detect ne­w threats. This helps maintain system se­curity and data integrity.

• Provide security related training to the employees and common employees: One should learn Cybe­rsecurity and the best practice­s in order to keep the­ office safe. Common workers will ge­t lessons on spotting risks and responding well, cre­ating an environment of caution.

• Keep changing passwords: Passwords should be changed fre­quently for better se­curity. Rotating passwords often makes it harder for cybe­r criminals to compromise and make it happen or confidential data to be­ stolen. This practice keeps intruders out and shie­lds sensitive intel.

Conclusion:

To conclude, to reduce the impact and including the safety measures, further investigations and collaboration are already in the pipeline regarding the recent malicious software that takes advantage of gamers and has stated that about millions of credentials users have been compromised. To protect sensitive data, continued usage of antivirus software, use of trusted materials  and password changes are the key elements. The ways to decrease risks and safely protect sensitive information are to develop improved Cybersecurity methods such as multi-factor authentication and the conduct of security audits frequently. Be safe and be vigilant.

Reference:

• https://techcrunch.com/2024/03/28/activision-says-its-investigating-password-stealing-malware-targeting-game-players/
• https://www.bleepingcomputer.com/news/security/activision-enable-2fa-to-secure-accounts-recently-stolen-by-malware/
• https://cyber.vumetric.com/security-news/2024/03/29/activision-enable-2fa-to-secure-accounts-recently-stolen-by-malware/
• https://www.virustotal.com/
• https://otx.alienvault.com/

‍