Fake CrowdStrike job offer emails target developers and crypto miners.

CrowdStrike is warning that a phishing effort is impersonating the cybersecurity organization in phony job offer emails, duping victims into infecting themselves with a Monero cryptocurrency miner (XMRig).

The organization noticed the harmful campaign on January 7, 2025, and based on the content of the phishing email, it didn't start much earlier.

The campaign begins with a phishing email sent to job searchers, purportedly from a CrowdStrike recruitment representative, congratulating them for applying for a developer position with the organization.

The email instructs recipients to download a bogus "employee CRM application" from a website made to resemble a legitimate Crowdstrike portal.

This is allegedly part of the company's attempt to "streamline their onboarding process by rolling out a new applicant CRM app."

Candidates who click on the embedded link are directed to a website ("cscrm-hiring[.]com") that includes links to download the application for Windows or macOS.

Before collecting more payloads, the downloaded tool does sandbox checks to ensure it is not executing in an analysis environment, such as checking the process number, CPU core count, and presence of debuggers.

Once those tests are completed and the result is negative, indicating that the target qualifies for infection, the application generates a bogus error message indicating that the installer file is most likely corrupt.

In the background, the downloader gets a configuration text file containing the parameters required to launch XMRig.

It then downloads the miner from a GitHub repository and extracts the files to '%TEMP%\System\.'

To avoid detection, the miner is programmed to run in the background, utilizing no more than 10% of processing power.

A batch script is added to the Start Menu Startup directory to ensure persistence across reboots, and a login autostart key is also stored in the registry.

Crowdstrike's report contains further information about the campaign and its indicators of compromise.

Job searchers should always verify that they are chatting with a legitimate recruiter by checking that the email address belongs to the official company domain and contacting that person through the official firm's page.

Be wary of urgent or odd demands, offers that appear too good to be true, or invites to download executable files onto your computer that are apparently essential for recruitment.

Employers seldom, if ever, ask candidates to download third-party applications as part of the interview process, and they never request advance fees.

Source: Bleeping Computer

#bigfishtec #bigfishcanada #cybersecurity #CrowdStrike #JobOffer #JobSeeker #Miner #Monero #Recruit #XMRig #Phishing