Cybersecurity firm CrowdStrike faced worldwide IT disruptions due to a flawed update, which opened the door for cybercriminals to distribute Remcos RAT malware under the guise of providing a hotfix to Latin America-based customers.

The hackers who took advantage of the CrowdStrike outage employed several tactics to exploit the situation:

1. Malware Distribution: Cybercriminals, particularly targeting Latin American customers, distributed a malicious ZIP archive named "crowdstrike-hotfix.zip". This archive contained:
2. A malware loader called Hijack Loader (also known as DOILoader or IDAT Loader)
3. The Remcos RAT (Remote Access Trojan) payload
4. A text file with Spanish instructions urging targets to run an executable
5. Phishing Campaigns: Hackers launched phishing attempts by sending emails posing as CrowdStrike customer support. These emails aimed to deceive users seeking assistance during the outage.
6. Domain Impersonation: Malicious actors quickly set up typosquatting domains to impersonate CrowdStrike. Examples of suspicious domain registrations include 'dstrikeuescreen.]com' and 'crowrike0[.]com'.
7. Social Engineering: Some attackers impersonated CrowdStrike staff or other tech specialists, attempting to obtain login credentials from affected users. They offered fake assistance to exploit the confusion caused by the outage.
8. Fraudulent Services: Cybercriminals advertised services to companies affected by the issue, requesting cryptocurrency payments in return.
9. Fake Software Patches: Attackers distributed counterfeit software patches, claiming to fix the issues caused by the CrowdStrike outage.
10. Targeted Attacks: The campaign primarily focused on Latin America-based CrowdStrike customers, as evidenced by the Spanish-language files and instructions in the malicious ZIP archive.
11. Exploiting IT Professionals: Hackers specifically targeted IT managers and professionals who were frantically trying to resolve the outage issues, as they were more likely to fall for scams promising quick fixes