Cryptojackers are impersonating Crowdstrike via email to get developers to unwittingly install the XMRig cryptocurrency miner on their Windows PC, the company has warned.
The email
Crowdstrike has a web page where job hunters can see which positions are open at the company and apply for a job.
Job hunting is often a taxing process involving many applications sent to many different companies, and the crooks behind this scheme are betting on some of the targets having previously applied for a job at Crowdstrike (or believing they have).
The phishing email impersonates the company and asks the potential victim to access a desktop app to schedule their interview.
To download the “new applicant and employee CRM app”, they are directed to a Crowdstrike-branded site supposedly providing a Windows or macOS version for download.
The malicious, fake Crowdstrike site (Source: Crowstrike)
In reality, both download buttons trigger the downloading of the same malicious executable, which can only target Windows machines.
The malicious payload
The downloaded ZIP file contains an executable that, when run, checks for the presence of a debugger, malware analysis and virtualization tools, and whether the target system has a CPU with at least two cores and has a minimum number of active processes.
If it doesn’t find those tools and if the latter conditions are met, the executables pops up a fake error message:
In the background, though, the executable also downloads a copy of XMRig from GitHub and a text configuration file.
Once the miner is installed and configured, the executable creates a copy of the miner and adds a new Windows Registry logon autostart key to make the miner start working each time the system is rebooted. The miner also uses minimal CPU resources to avoid detection.
Exploiting users’ weak spots
Job offers or opportunities to interview for a well-paid job are frequently used as a lure by cryptojackers, scammers, and malware peddlers casting a wide net, as well as initial access brokers, ransomware affiliates and state-sponsored APT groups looking for a way into specific organizations.
Crowdstrike has warned about this very recent campaign, but says that they are also aware of scams involving false offers of employment with CrowdStrike.
“Fraudulent interviews and job offers use fake websites, email addresses, group chats and text messages,” the company noted, and pointed out that they:
- Do not interview prospective candidates via instant message or group chat
- Do not require candidates to purchase products or services, process payments on the company’s behalf, or ask candidates to download software for interviews.
“This campaign highlights the importance of vigilance against phishing scams, particularly those targeting job seekers. Individuals in the recruitment process should verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files,” they added.