Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike’s software that causes a Blue Screen of Death (BSOD) on affected systems.

This vulnerability has given cybercriminals a unique opportunity to spread malware, posing significant risks to users and organizations relying on CrowdStrike for cybersecurity.

The Malicious Lure

Zscaler ThreatLabz, a prominent cybersecurity research group, tweeted that it has identified a sophisticated lure that leverages this BSOD bug.

Threat actors are taking advantage of the CrowdStrike BSOD bug to spread malware. ThreatLabz identified a lure that uses a Microsoft Word document that contains instructions on how to recover from the issue. However, the document contains a malicious macro that, when enabled,… pic.twitter.com/Yq31eOhfKF

— Zscaler ThreatLabz (@Threatlabz) July 22, 2024

- Advertisement -

The lure is a Microsoft Word document ostensibly containing instructions on how to recover from the BSOD issue. However, this document is far from harmless.

It includes a malicious macro that, when enabled by the unsuspecting user, initiates the download of information-stealing malware from a remote server.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The malicious macro connects to the URL hxxp://172.104.160[.]126:8099/payload2.txt to download the malware. This information stealer is designed to evade detection by many antivirus solutions, making it particularly dangerous.

Once installed, the malware begins its nefarious activities, compromising the security and privacy of the affected system.

Data Exfiltration via HTTP POST Requests

The primary function of the downloaded malware is to steal sensitive information from the infected system. This stolen data is then exfiltrated via HTTP POST requests to the IP address 172.104.160[.]126:5000.

Cybercriminals commonly use HTTP POST requests for data exfiltration, as this tactic can often bypass traditional network security measures.

The specific types of data this malware targets have not been disclosed, but information stealers typically aim to harvest credentials, financial information, personal data, and other valuable assets.

The implications of such data breaches are severe, potentially leading to identity theft, financial loss, and further cyberattacks.

In response to this threat, cybersecurity experts urge users and organizations to exercise extreme caution with unsolicited documents, particularly those claiming to offer solutions to known issues like the CrowdStrike BSOD bug.

It is crucial to disable macros in Microsoft Office documents unless necessary and to verify the authenticity of any recovery instructions through official channels.

CrowdStrike has been notified of this exploitation, and users are advised to stay updated with the company’s latest patches and security advisories.

Additionally, robust endpoint protection and network monitoring can help detect and mitigate such threats.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.