Beware of fake CrowdStrike domains pumping out Lumma infostealing malware

CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop's threat intel team, which spotted the scam just days after the Falcon sensor update fiasco.

Infostealers such as Lumma scour infected machines for any stored sensitive info, such as site login details and browser histories. This data is then quietly exfiltrated to the malware's operators to use for fraud, theft, and other crimes.

More specifically, this stolen information is used to gain illicit access to victims' online bank accounts and cryptocurrency wallets, along with email inboxes, remote desktop accounts, and other apps and services that require legitimate login credentials, which makes this type of malware especially popular among cyber-crooks.

Lumma is a relatively popular stealer that has been in high demand among ransomware crews since 2022. It's also one of the infostealers that Mandiant says the criminal gang UNC5537 used to obtain credentials that were then used to break into Snowflake cloud storage environments earlier this spring.

In the CrowdStrike campaign, the Lumma build timestamp "indicates the actor highly likely built the sample for distribution the day after the single content update for CrowdStrike's Falcon sensor was identified," the security shop noted.

The domain, crowdstrike-office365[.]com, was registered on July 23, just days after CrowdStrike's July 19 faulty update crashed 8.5 million Windows machines. It speculates that the group behind the domain is linked to earlier social-engineering attacks in June, which also distributed the Lumma malware. 

In these earlier infostealer campaigns, the miscreants spammed out phishing emails, and then followed up with phone calls purporting to be from a Microsoft Teams helpdesk employee.

"Based on the shared infrastructure between the campaigns and apparent targeting of corporate networks, CrowdStrike Intelligence assesses with moderate confidence that the activity is likely attributable to the same unnamed threat actor," the CrowdStrike team reports.

• Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis
• Cybercriminals quickly exploit CrowdStrike chaos
• The months and days before and after CrowdStrike's fatal Friday
• CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear

The fake CrowdStrike domain attempts to trick users into clicking on and fetching a .zip file purporting to be a recovery tool to fix the boot loop caused by the bad sensor update. The archive contains a Microsoft Installer file, WidowsSystem-update[.]msi, which is actually a malware loader. 

After the loader is executed by the mark, it drops and runs self-extracting RAR file, plenrco[.]exe, that has a Nullsoft Scriptable Install System (NSIS) installer with the filename SymposiumTaiwan[.]exe. This file includes some code fragments of a legitimate AutoIt executable that is heavily obfuscated, and will terminate if the victim's machine is running antivirus software.

But assuming the coast is clear, and the malware can continue undetected, the AutoIt loader runs one of two shellcodes, depending on if its a 32 or 64-bit system, and ultimately deploys the Lumma malware.

Just hours after CrowdStrike's dodgy sensor update sent Windows machines into a BSOD spiral, reports surfaced of scam emails using the outage as a lure and claiming to come from CrowdStrike Support or CrowdStrike Security. The security biz claims that 97 percent of effected systems are now back online. ®