CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop’s threat intel team, which spotted the scam just days after the Falcon sensor update fiasco.
Infostealers such as Lumma scour infected machines for any stored sensitive info, such as site login details and browser histories. This data is then quietly exfiltrated to the malware’s operators to use for fraud, theft, and other crimes.
More specifically, this stolen information is used to gain illicit access to victims’ online bank accounts and cryptocurrency wallets, along with email inboxes, remote desktop accounts, and other apps and services that require legitimate login credentials, which makes this type of malware especially popular among cyber-crooks.
Lumma is a relatively popular stealer that has been in high demand among ransomware crews since 2022. It’s also one of the infostealers that Mandiant says the criminal gang UNC5537 used to obtain credentials that were then used to break into Snowflake cloud storage environments earlier this spring.
In the CrowdStrike campaign, the Lumma build timestamp “indicates the actor highly likely built the sample for distribution the day after the single content update for CrowdStrike’s Falcon sensor was identified,” the security shop noted.
The domain, crowdstrike-office365[.]com, was registered on July 23, just days after CrowdStrike’s July 19 faulty update crashed 8.5 million Windows machines. It speculates that the group behind the domain is linked to earlier social-engineering attacks in June, which also distributed the Lumma malware.
In these earlier infostealer campaigns, the miscreants spammed out phishing emails, and then followed up with phone calls purporting to be from a Microsoft Teams helpdesk employee.
“Based on the shared infrastructure between the campaigns and apparent targeting of corporate networks, CrowdStrike Intelligence assesses with moderate confidence that the activity is likely attributable to the same unnamed threat actor,” the CrowdStrike team reports.
- Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis
- Cybercriminals quickly exploit CrowdStrike chaos
- The months and days before and after CrowdStrike’s fatal Friday
- CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear
The fake CrowdStrike domain attem