07/23/2024 | Press release | Distributed by Public on 07/24/2024 08:32
On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days after the July 19, 2024, single content update for CrowdStrike's Falcon sensor - which impacted Windows operating systems - was identified and a fix was deployed. The ZIP file uses the filename CrowdStrike Falcon.zipin an attempt to masquerade as a Falcon update. CrowdStrike Intelligence does not currently attribute the analyzed activity to any named adversary.
Technical analysis is based on the ZIP archive (SHA256 hash: 5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183) that was uploaded to a public malware repository on 2024-07-23 12:09 UTC with the filename CrowdStrike Falcon.zip. This archive contains the files shown in Table 1.
Filename | SHA256 Hash |
Readme.txt | 56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a |
CrowdStrike Falcon.exe | 21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6 |
Table 1. Archive CrowdStrike Falcon.zip content
The file CrowdStrike Falcon.exe is a self-extracting RAR (SFX) that contains and executes a Python-compiled executable; this executable contains the Connecio information stealer.
The text file Readme.txt contains instructions for potential victims to disable Windows Defender and execute the malicious executable present in the archive (Figure 1).
Figure 1. Readme.txt content
Upon execution, the malicious file CrowdStrike Falcon.exe unpacks and invokes an information stealer written in the Python programming language that collects system information, the system's external IP address (by making an HTTP GET request to the URL http[:]//ipinfo[.]io/[]?token=7fb82f5925fe8b), and data from multiple web browsers.
Then, the information stealer resolves its command-and-control (C2) servers by making HTTP GET requests to the Pastebin dead-drop URLs shown in Table 2.
Pastebin Dead-Drop URL | Description |
https[:]//pastebin[.]com/FHfj1fYD | C2 server configuration |
https[:]//pastebin[.]com/HeVWATy1 | Simple Mail Transfer Protocol (SMTP) accounts to exfiltrate collected information via email |
https[:]//pastebin[.]com/2diVWcDQ | List of cryptocurrency address patterns and potential replacements; the addresses are likely used for clipboard-hijacking cryptocurrency theft, as they match cryptocurrency addresses and the malware uses the Python library pyperclip to control the clipboard1 |
1 https[:]//pypi[.]org/project/pyperclip/
Table 2. Pastebin dead-drop URLs
These recommendations can be implemented to help protect against the activity described in this report.
This YARA rule detects common strings for the Connecio information stealer.
rule CrowdStrike_CSA_240846_01 : connecio python stealer
{ meta: copyright = "(c) 2024 CrowdStrike Inc." description = "Common strings for Connecio Python stealer" reports = "CSA-240846" version = "202407231719" last_modified = "2024-07-23" malware_family = "Connecio" strings: $ = "C0nn3c+10nz" $ = "?token=" $ = "ACCOUNT(S) INFO COOKIE" $ = "Firefox.get_password" $ = "Brave.get_password" $ = "Chrome.get_password" $ = "MACHINE : " condition: 5 of them } |
This Falcon LogScale query detects the activity described in this report.
// Indicators related to CSA-240846
case { in("SHA256HashData", values=["21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6", "56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a", "5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183", "d7c1be2d0b7d2714ff710676d228ac751c4eba280309e1241a9f7e441299a177"]); in("DomainName", values=["dshu.xyz", "klaxusonline.com", "mail.dshu.xyz", "theprofits.online", "web3versecoin.com", "xryptbx.com"]); in("RemoteAddressIP4", values=["139.99.232.135", "185.255.114.110", "185.255.114.63"]) } | table([cid, aid, #event_simpleName, ComputerName]) |
This table details the IOCs related to the information provided in this report.
Description | Value |
C2 IP addresses |
139.99.232[.]135:80 185.255.114[.]110:80185.255.114[.]63:80 |
SMTP exfiltration-sender accounts |
send@dshu[.]xyz
logs@web3versecoin[.]com logsmaster@xryptbx[.]com |
SMTP exfiltration-recipient accounts |
logs@theprofits[.]online
info2024@klaxusonline[.]com frank@dshu[.]xyz 6000@xryptbx[.]com |
SMTP exfiltration hosts |
mail.dshu[.]xyz:465
web3versecoin[.]com:465 xryptbx[.]com:465 |
Table 3. IOCs
This table details the MITRE ATT&CK® tactics and techniques described in this report.
Tactic | Technique | Observable |
Execution | T1059.006 - Command and Scripting Interpreter: Python | Connecio is written in the Python programming language |
T1204.002 - User Execution: Malicious File | Connecio lures the user into executing the malware executable | |
Command and Control | T1102.001 - Web Service: Dead Drop Resolver | Connecio uses Pastebin dead-drop URLs to resolve its C2 infrastructure |
Exfiltration | T1048 - Exfiltration Over Alternative Protocol | Connecio exfiltrates information over SMTP |
Table 4. Described Connecio activity MITRE ATT&CK mapping
The following table includes cryptocurrency addresses obtained from the dead-drop configuration URL.
Address |
0x2DCC92C27C4429B506588012CaC53764780f3e3D |
0x6c5E3Ea51B382C49839417dAF3c84E3dA603D12f |
0xd23896016eC1Ef2D25Fb8899a4a3a38e0a92F9c1 |
13KadCbGWS4rzXiAyc7HHW2HDopN59hKa6 |
17tVNxknYnnkrvY3vN4Tw23fXQdSmn7CDU |
1Q4V4c1d6Vmr1Bf9BWejixnF8XnfdY6m4s |
bc1qfwx6sase663vranpr7mkf485ypz3nzvtl0xtld |
bc1qlneepetqamw7vmfludvrjgnk7tjprzlcy5e293 |
bc1qr9euay9qsfwsgh2edeqfk0rpw90c9zl9f69kfk |
bnb10nf3fc0xtfm6f7xfy6vjejnyq88ha7gjc8hx62 |
bnb130y4jppcnh2vmwc6u4kkktehswldmrk43l7nah |
bnb1xg0dn3lj6ggekxptv4mg7u89uqqu73ezpxkhup |
CrnP9VWgegWAFgKYHqsrLhxoWwBykAaHQDkz7A8njtMj |
DMqCf1f3wCHncDdbHmNZa2AFwyVYDeVSRL |
DMX3TTkhnDvB7nbhG3jn85U1bHedVsfgJs |
Fep17BczJDfVeSHytKmCS1n2MBM5j6BVdVEkcN5H1eXJ |
LcxgZpuNmbji8WfWrEpWHKDA41wGcRxJFe |
LLGtBdhMb7DABq9Q1yDEGUXAvtn4CyPGh7 |
ltc1qg9k9ren5rmu65l9jy69lt7tqrl60s7u8e6gv9m |
qz0zv0l5gqz5f69l8ezpwu8mpfhzv8lwruz5dh2h7p |
qz9zwucyjf8jw7yhr3dm85ejslaesrrp9y3qh6x2h9 |
qzanj5umvjs3h6fjplzxh68lnm3hzl7djq9aky0xwn |
t1KikBNAhHPWBTvDmzzcoUMJ8CKxo8dm2hF |
TAZnA51ca5P2hpcjUwY6eqYvDL9fGzad3M |
TFhAp8GYQiyYk3xGgDXoNDokDzKZnMoUuT |
XiDCvcyAnTKEr6vQn7rjwpjH6tiwhEPPA5 |
XkarQqC1GGjuF8eQEhWeBifFTz4UyLG7z3 |
Xy4yi1Qr7UgEh4hSi8dLv7iANecm11MDGM |
Table 5. Connecio-related cryptocurrency addresses
Read other blog posts from CrowdStrike Intelligence regarding the Falcon content issue: