Crowdstrike Holdings Inc.
07/23/2024 | Press release | Distributed by Public on 07/24/2024 08:32
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure
Summary
On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days after the July 19, 2024, single content update for CrowdStrike's Falcon sensor - which impacted Windows operating systems - was identified and a fix was deployed. The ZIP file uses the filename CrowdStrike Falcon.zipin an attempt to masquerade as a Falcon update. CrowdStrike Intelligence does not currently attribute the analyzed activity to any named adversary.
Technical Analysis
Technical analysis is based on the ZIP archive (SHA256 hash: 5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183) that was uploaded to a public malware repository on 2024-07-23 12:09 UTC with the filename CrowdStrike Falcon.zip. This archive contains the files shown in Table 1.
| Filename | SHA256 Hash |
| Readme.txt | 56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a |
| CrowdStrike Falcon.exe | 21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6 |
Table 1. Archive CrowdStrike Falcon.zip content
The file CrowdStrike Falcon.exe is a self-extracting RAR (SFX) that contains and executes a Python-compiled executable; this executable contains the Connecio information stealer.
The text file Readme.txt contains instructions for potential victims to disable Windows Defender and execute the malicious executable present in the archive (Figure 1).
Figure 1. Readme.txt content
Upon execution, the malicious file CrowdStrike Falcon.exe unpacks and invokes an information stealer written in the Python programming language that collects system information, the system's external IP address (by making an HTTP GET request to the URL http[:]//ipinfo[.]io/[]?token=7fb82f5925fe8b), and data from multiple web browsers.
Then, the information stealer resolves its command-and-control (C2) servers by making HTTP GET requests to the Pastebin dead-drop URLs shown in Table 2.
| Pastebin Dead-Drop URL | Description |
| https[:]//pastebin[.]com/FHfj1fYD | C2 server configuration |
| https[:]//pastebin[.]com/HeVWATy1 | Simple Mail Transfer Protocol (SMTP) accounts to exfiltrate collected information via email |
| https[:]//pastebin[.]com/2diVWcDQ | List of cryptocurrency address patterns and potential replacements; the addresses are likely used for clipboard-hijacking cryptocurrency theft, as they match cryptocurrency addresses and the malware uses the Python library pyperclip to control the clipboard1 |
1 https[:]//pypi[.]org/project/pyperclip/
Table 2. Pastebin dead-drop URLs
Recommendations
These recommendations can be implemented to help protect against the activity described in this report.
- Only accept updates delivered through CrowdStrike official channels and adhere to CrowdStrike support teams' technical guidance
- Train users to avoid executing files from untrusted sources
- Check website certificates on the download page to ensure downloaded software originates from a legitimate source
- Use browser settings to enable download protection that can issue warnings regarding potentially harmful websites or downloads
- Block SMTP network connections to unknown servers when not required within the organization
- Block Pastebin web access when not required within the organization
Appendix
YARA Rule
This YARA rule detects common strings for the Connecio information stealer.
|
rule CrowdStrike_CSA_240846_01 : connecio python stealer
{ meta: copyright = "(c) 2024 CrowdStrike Inc." description = "Common strings for Connecio Python stealer" reports = "CSA-240846" version = "202407231719" last_modified = "2024-07-23" malware_family = "Connecio" strings: $ = "C0nn3c+10nz" $ = "?token=" $ = "ACCOUNT(S) INFO COOKIE" $ = "Firefox.get_password" $ = "Brave.get_password" $ = "Chrome.get_password" $ = "MACHINE : " condition: 5 of them } |
Falcon LogScale Queries
This Falcon LogScale query detects the activity described in this report.
|
// Indicators related to CSA-240846
case { in("SHA256HashData", values=["21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6", "56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a", "5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183", "d7c1be2d0b7d2714ff710676d228ac751c4eba280309e1241a9f7e441299a177"]); in("DomainName", values=["dshu.xyz", "klaxusonline.com", "mail.dshu.xyz", "theprofits.online", "web3versecoin.com", "xryptbx.com"]); in("RemoteAddressIP4", values=["139.99.232.135", "185.255.114.110", "185.255.114.63"]) } | table([cid, aid, #event_simpleName, ComputerName]) |
Indicators of Compromise (IOCs)
This table details the IOCs related to the information provided in this report.
| Description | Value |
| C2 IP addresses |
139.99.232[.]135:80 185.255.114[.]110:80185.255.114[.]63:80 |
| SMTP exfiltration-sender accounts |
send@dshu[.]xyz
logs@web3versecoin[.]com logsmaster@xryptbx[.]com |
| SMTP exfiltration-recipient accounts |
logs@theprofits[.]online
info2024@klaxusonline[.]com frank@dshu[.]xyz 6000@xryptbx[.]com |
| SMTP exfiltration hosts |
mail.dshu[.]xyz:465
web3versecoin[.]com:465 xryptbx[.]com:465 |
Table 3. IOCs
MITRE ATT&CK
This table details the MITRE ATT&CK® tactics and techniques described in this report.
| Tactic | Technique | Observable |
| Execution | T1059.006 - Command and Scripting Interpreter: Python | Connecio is written in the Python programming language |
| T1204.002 - User Execution: Malicious File | Connecio lures the user into executing the malware executable | |
| Command and Control | T1102.001 - Web Service: Dead Drop Resolver | Connecio uses Pastebin dead-drop URLs to resolve its C2 infrastructure |
| Exfiltration | T1048 - Exfiltration Over Alternative Protocol | Connecio exfiltrates information over SMTP |
Table 4. Described Connecio activity MITRE ATT&CK mapping
Cryptocurrency Addresses
The following table includes cryptocurrency addresses obtained from the dead-drop configuration URL.
| Address |
| 0x2DCC92C27C4429B506588012CaC53764780f3e3D |
| 0x6c5E3Ea51B382C49839417dAF3c84E3dA603D12f |
| 0xd23896016eC1Ef2D25Fb8899a4a3a38e0a92F9c1 |
| 13KadCbGWS4rzXiAyc7HHW2HDopN59hKa6 |
| 17tVNxknYnnkrvY3vN4Tw23fXQdSmn7CDU |
| 1Q4V4c1d6Vmr1Bf9BWejixnF8XnfdY6m4s |
| bc1qfwx6sase663vranpr7mkf485ypz3nzvtl0xtld |
| bc1qlneepetqamw7vmfludvrjgnk7tjprzlcy5e293 |
| bc1qr9euay9qsfwsgh2edeqfk0rpw90c9zl9f69kfk |
| bnb10nf3fc0xtfm6f7xfy6vjejnyq88ha7gjc8hx62 |
| bnb130y4jppcnh2vmwc6u4kkktehswldmrk43l7nah |
| bnb1xg0dn3lj6ggekxptv4mg7u89uqqu73ezpxkhup |
| CrnP9VWgegWAFgKYHqsrLhxoWwBykAaHQDkz7A8njtMj |
| DMqCf1f3wCHncDdbHmNZa2AFwyVYDeVSRL |
| DMX3TTkhnDvB7nbhG3jn85U1bHedVsfgJs |
| Fep17BczJDfVeSHytKmCS1n2MBM5j6BVdVEkcN5H1eXJ |
| LcxgZpuNmbji8WfWrEpWHKDA41wGcRxJFe |
| LLGtBdhMb7DABq9Q1yDEGUXAvtn4CyPGh7 |
| ltc1qg9k9ren5rmu65l9jy69lt7tqrl60s7u8e6gv9m |
| qz0zv0l5gqz5f69l8ezpwu8mpfhzv8lwruz5dh2h7p |
| qz9zwucyjf8jw7yhr3dm85ejslaesrrp9y3qh6x2h9 |
| qzanj5umvjs3h6fjplzxh68lnm3hzl7djq9aky0xwn |
| t1KikBNAhHPWBTvDmzzcoUMJ8CKxo8dm2hF |
| TAZnA51ca5P2hpcjUwY6eqYvDL9fGzad3M |
| TFhAp8GYQiyYk3xGgDXoNDokDzKZnMoUuT |
| XiDCvcyAnTKEr6vQn7rjwpjH6tiwhEPPA5 |
| XkarQqC1GGjuF8eQEhWeBifFTz4UyLG7z3 |
| Xy4yi1Qr7UgEh4hSi8dLv7iANecm11MDGM |
Table 5. Connecio-related cryptocurrency addresses
Additional Resources
Read other blog posts from CrowdStrike Intelligence regarding the Falcon content issue:
- Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers
- Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers
- Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer