Cybersecurity firm CrowdStrike is currently dealing with the consequences of a flawed update that caused worldwide IT disruptions. Threat actors are taking advantage of this situation to distribute Remcos RAT to customers in Latin America under the guise of a hotfix.
The attackers are using a ZIP archive file called “crowdstrike-hotfix.zip,” which contains a malware loader named Hijack Loader that launches the Remcos RAT payload. The archive also includes a Spanish-language text file (“instrucciones.txt”) instructing targets to run an executable file (“setup.exe”) to fix the issue.
CrowdStrike noted that the campaign is likely targeting Latin America-based customers and attributed it to a suspected e-crime group. The company acknowledged the logic error triggered by a sensor configuration update that caused systems to crash.
Malicious actors are taking advantage of the chaos to set up typosquatting domains impersonating CrowdStrike and offering services to affected companies for cryptocurrency payments. Customers impacted by the issue are advised to communicate with CrowdStrike representatives through official channels.
