Recently, an issue in a content update for the CrowdStrike Falcon sensor affecting Windows operating systems was discovered and quickly resolved. However, this incident has provided cybercriminals with multiple vectors to launch various cyberattacks, exploiting the confusion and urgency created by the update mishap.

Cybercriminals have leveraged the content update issue to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. This archive contains a HijackLoader payload that, upon execution, uses DLL search-order hijacking to load and execute its first-stage payload. HijackLoader, marketed as a private crypting service called ASMCrypt, is a modular multi-stage loader designed to evade detection. Its configuration file provides data that the loader uses to execute the final RemCos payload, which then contacts a command-and-control (C&C) server.

In addition to the ZIP archive, several typosquatting domains impersonating CrowdStrike have been identified. These domains are used to trick users into downloading malicious files or redirect them to scam pages, including those requesting cryptocurrency payments under the pretense of providing a fix for the issue.

The China-based APT41 hacking group has launched a sustained campaign targeting organizations in the shipping, logistics, media, entertainment, technology, and automotive sectors across Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. This campaign, ongoing since 2023, has allowed APT41 to maintain prolonged unauthorized access to victims’ networks, extracting sensitive data over extended periods.

The attack chain involves the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE). APT41 employs these tools to achieve persistence, deliver additional payloads, and exfiltrate data of interest. The DUSTTRAP malware, a multi-stage plugin framework, is particularly noteworthy for its extensive capabilities, including executing shell commands, file system operations, process manipulation, keylogging, and Active Directory modifications.

Further details, as well as YARA rules, can be found in the full report: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust