HQ/EMEAFind out how we can help your business
A new phishing campaign that deploys cryptocurrency miners uses fake CrowdStrike job offers to target and deceive developers.
Reports stated that the new operation uses the Monero cryptominer. The organisation allegedly noticed this malicious activity earlier this month. Researchers explained that the campaign was initiated through a phishing email from a CrowdStrike recruitment representative congratulating job seekers on applying for a developer position with the organisation.
Subsequently, the email prompts its recipients to download a phoney employee CRM application from a website that poses as a legitimate Crowdstrike portal. This tactic is reportedly part of the company’s new mission of expediting onboarding by launching a new candidate CRM tool.
The fake CrowdStrike job offers redirect users to a download page.
Candidates who received the fake CrowdStrike job offers and those who click on the attached link will be redirected to a website with links to download the application for macOS or Windows.
Before collecting more payloads, the downloaded tool does sandbox checks to ensure that it is not operating in an analysis environment, such as checking the process number, CPU core count, and presence of debuggers.
Once the tests return as negative for any analysis-operating environment, the application generates a bogus error message indicating that the installer file is most likely corrupt. During this instance, the downloader gets a configuration text file containing the parameters required to launch XMRig in the background.
It then downloads the miner from a GitHub repository and extracts the files to ‘%TEMP%\System\.’ The miner is programmed to run in the background to avoid detection.
The operation will then add a batch script to the Start Menu Startup directory to establish persistence across reboots, and a login autostart key will also be stored in the registry.
Job searchers should always verify that they are communicating with a legitimate recruiter by checking the email address belonging to the official company domain and contacting that person through the official firm’s page.
Jobseekers, especially developers, should be wary of urgent or odd demands or invites to download executable files essential for recruitment onto their computers to prevent the download of malicious payloads that could lead to unwanted compromises.
