CrowdStrike warns of a phishing campaign that uses its recruitment branding to trick recipients into downloading a fake application, which finally installs the XMRig cryptominer.
CrowdStrike discovered a phishing campaign using its recruitment branding to trick recipients into downloading a fake application, which acts as a downloader for the XMRig cryptominer.
The cybersecurity firm discovered the campaign on January 7, 2025, the company discovered that threat actors used false offers of employment with CrowdStrike.
“On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an “employee CRM application.” The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website.” reads the report published by CrowdStrike. “Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig.”
The email tricks recipients by claiming they have been selected for a junior developer role and must join a recruitment call by downloading a CRM tool via an embedded link. The phishing message directs the victims to a malicious website that appears to offer download options for both Windows and macOS.
Regardless of the chosen option, a Windows executable written in Rust is downloaded. The application serves as a downloader for XMRig, researchers noticed it supports evasion mechanisms.
Evasion checks supported by the malicious code include detecting debuggers, verifying active processes, checking CPU core count, and scanning for malware analysis tools. If the environment passes these checks, it displays a fake error message before proceeding. The executable then downloads a text file containing XMRig configuration details to initiate mining activities.
“Individuals in the recruitment process should verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files.” concludes the report. “Outside of this campaign, we are aware of scams involving false offers of employment with CrowdStrike. Fraudulent interviews and job offers use fake websites, email addresses, group chats and text messages. We do not interview prospective candidates via instant message or group chat, nor do we require candidates to purchase products or services, or process payments on our behalf, as a condition of any employment offer. And, in reference to the campaign detailed above, we do not ask candidates to download software for interviews.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
