Thursday, January 23, 2025
HomeCyber Security NewsBeware! Fake Crowdstrike Recruitment Emails Spread Cryptominer Malware

Beware! Fake Crowdstrike Recruitment Emails Spread Cryptominer Malware

Published on

SIEM as a Service

Follow Us on Google News

CrowdStrike, a leader in cybersecurity, uncovered a sophisticated phishing campaign that leverages its recruitment branding to propagate malware disguised as an “employee CRM application.”

This alarming attack vector begins with a fraudulent email impersonating CrowdStrike’s hiring team, coaxing recipients into visiting a malicious website.

Once there, victims are unwittingly prompted to download and execute a harmful application that operates as a downloader for the cryptominer XMRig.

How the Scam Works

The phishing scam kicks off with an enticing email that claims to be part of a recruitment process. The initial communication often features professional branding and a direct link to a fabricated website designed to mimic CrowdStrike’s legitimate recruitment portal.

Initial phishing email
Initial phishing email

Upon clicking the link, victims land on a malicious site that presents download options for both Windows and macOS.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Impersonated malicious phishing site containing download links for fake “CRM application”
Impersonated malicious phishing site containing download links for fake “CRM application”

However, regardless of the selection made, the downloaded file is a Windows executable, ingeniously crafted in Rust, designed to evade detection while functioning as a downloader for the XMRig cryptominer.

According to the Crowdstrike report, the executable employs several advanced techniques to evade security mechanisms and analysis. Notably, it performs the following environment checks:

  1. Debugger Detection: It uses the IsDebuggerPresent Windows API to determine if it is being monitored by a debugger.
  2. Process Count Verification: The software checks that a minimum number of active processes are running, which can indicate a secure or monitored environment.
  3. CPU Core Check: The malware ensures that the CPU has at least two cores, targeting more capable systems for its operations.
  4. Process Scanning: It scans the active processes for known malware analysis tools and virtualization software, avoiding execution in sandboxed environments.

If these checks are successfully passed, the program displays a fake error message to avoid suspicion before proceeding with its malicious activities.

Payload Delivery

Following the fake pop-up, the malicious executable downloads a configuration text file from a specified URL. This text file contains essential command-line arguments for XMRig, which are then used to execute the mining operation efficiently.

The executable then retrieves XMRig from its GitHub repository and extracts the ZIP file to the %TEMP%\System\ directory. Once unpacked, the primary XMRig miner is launched using the configuration parameters retrieved earlier.

To establish persistence, the downloader creates a Windows batch script in the Start Menu Startup directory.

This script executes the downloaded miner each time the system boots up. Additionally, it modifies the Windows Registry to ensure that the malicious downloader operates upon every logon, thus maintaining a continuous mining operation without the user’s knowledge.

This incident underscores the critical need for vigilance against phishing scams, particularly for job seekers.

Candidates involved in the recruitment process are urged to verify the legitimacy of any communication claiming to be from CrowdStrike. Downloading unsolicited files from unknown sources poses significant risks.

Organizations can mitigate these threats by educating employees on identifying phishing attempts, monitoring network traffic for unusual activity, and implementing robust endpoint protection solutions.

CrowdStrike also wants to remind the community about other prevalent scams that misrepresent employment offers.

Fraudulent interviews and offers often use fake websites, email addresses, and even group chat platforms. CrowdStrike confirms that it does not conduct interviews via instant messaging or require any financial transactions as part of the hiring process.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!



Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...