Hack Reports - Latest Cybersecurity News, Trends & Updates

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

Geetansh -

CrowdStrike Phishing Scam Analysis: Cryptominer Malware via Fake Job Offers

A recent phishing campaign has been identified where cybercriminals are impersonating CrowdStrike recruiters to distribute cryptominer malware, specifically the XMRig miner. Here is a detailed analysis of the scam:

Phishing Campaign Mechanics

  • The campaign begins with a phishing email that appears to be part of CrowdStrike's recruitment process. The email invites the target to schedule an interview for a junior developer role124.
  • The email contains a link that directs the victim to a malicious website designed to look like a legitimate CrowdStrike recruitment site. This site offers download links for a fake “CRM application” for both Windows and macOS124.

Malware Distribution

  • Regardless of the operating system selected, the victim downloads a Windows executable written in Rust. This executable acts as a downloader for the XMRig cryptominer124.
  • The downloaded executable performs several environment checks to evade detection:
    • It uses the IsDebuggerPresent Windows API to check if a debugger is attached.
    • It verifies that the central processing unit has at least two cores.
    • It scans the list of running processes for common malware analysis or virtualization software tools124.

Malware Behavior

  • If the environment checks are passed, the executable displays a fake error message before proceeding to download additional payloads. These payloads include configuration data from a remote server and the XMRig miner, which is then executed in the background124.
  • The malware sets up persistence by dropping a batch script into the Start Menu Startup directory and creating a Windows Registry logon autostart entry. This ensures the cryptominer runs continuously, utilizing the victim’s system resources to generate cryptocurrency4.

Impact and Advice

  • The cryptominer can cause significant damage to the affected devices, including overheating and shortening the device lifespan due to the intense computational load1.
  • CrowdStrike has advised job seekers to be vigilant and avoid falling victim to such scams. Key red flags include:
    • Interviews conducted via instant message or group chat.
    • Requests to purchase products or process payments as a condition of employment.
    • Requests to download software for interviews.
    • Job seekers should verify the authenticity of CrowdStrike communications by contacting recruiting@crowdstrike.com and use the official Careers page for job applications1.

Conclusion

This phishing campaign highlights the evolving nature of social engineering attacks, where trusted brands like CrowdStrike are exploited to deceive unsuspecting individuals. It is crucial for both job seekers and organizations to remain vigilant and employ robust security measures to mitigate the risks of such sophisticated scams.

Sources:

  • [Infosecurity Magazine: Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Malware]1
  • [MSSP Alert: CrowdStrike Spoofed in Recruitment Phishing Scam]2
  • [Security Online: Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding]4