Threat actors are capitalizing on the chaos resulting from a major IT disruption caused by CrowdStrike’s glitchy update to target companies with data wipers and remote access tools (RATs).

Last Friday, a global IT outage related to the interaction between CrowdStrike antivirus and Windows led to widespread disruptions in the operations of airports, banks, media outlets, and telecommunications operators around the world. The outage affected the US, Australia, New Zealand, the UK, Turkey, India, Germany, Ukraine, and other countries.

Airports in Sydney, Scotland, and Berlin temporarily halted operations, flights of SpiceJet and Ryanair were canceled, the London Stock Exchange suspended its activities, and the British channel Sky News and the Australian Broadcasting Corporation were unable to broadcast. McDonald's Japan closed its stores nationwide.

Companies such as Amazon, Visa, Xbox, and Delta were also affected. Many Microsoft users encountered the “blue screen of death.” The failure was reportedly caused by an update from cybersecurity company CrowdStrike, which caused issues with its Falcon Sensor product in Windows. CrowdStrike said that the issue was a content deployment problem and that it has rolled back the changes and provided recommendations for affected users.

Unsurprisingly, the flawed update has led to an increase in phishing emails as businesses seek assistance to fix affected Windows hosts. Researchers and government agencies have noted a surge in malicious activities exploiting this situation.

On Saturday, CrowdStrike issued warnings to its customers, advising them to ensure they are communicating with legitimate representatives through official channels. The UK National Cyber Security Center (NCSC) has also observed an uptick in phishing messages attempting to take advantage of the outage. Additionally, the automated malware analysis platform AnyRun has detected an increase in attempts to impersonate CrowdStrike, which could potentially lead to phishing attacks.

CrowdStrike said that threat actors are using this incident to distribute the Remcos RAT to the company's customers in Latin America, masquerading as a hotfix. The attack chain involves distributing a ZIP archive named "crowdstrike-hotfix.zip," which contains a malware loader known as Hijack Loader (aka DOILoader or IDAT Loader). This loader subsequently launches the Remcos RAT payload.

The ZIP archive also includes a text file, "instrucciones.txt," with Spanish-language instructions urging targets to run an executable file, "setup.exe," to recover from the issue. The use of Spanish filenames and instructions suggests that this campaign is specifically targeting Latin America-based (LATAM) CrowdStrike customers. CrowdStrike attributes the campaign to a suspected e-crime group.

Microsoft reported that the outage affected 8.5 million Windows devices globally, accounting for less than one percent of all Windows machines. The company has released a new recovery tool to assist IT administrators in repairing Windows machines impacted by CrowdStrike's faulty update.