Impersonated malicious phishing site containing download links for fake “CRM application” | Source: CrowdStrike
Recently, CrowdStrike uncovered a phishing campaign exploiting its trusted recruitment branding to distribute the XMRig cryptominer. Disguised as an “employee CRM application,” the campaign lured job seekers with fraudulent promises of employment opportunities.
The attack begins with a phishing email mimicking CrowdStrike’s recruitment process. Victims are directed to a malicious website where they are prompted to download the fake CRM application. Despite offering download options for both Windows and macOS, the website delivers a Windows executable written in Rust, regardless of the user’s selection. This executable acts as a downloader for XMRig, a well-known cryptomining malware.
The malware is programmed to evade detection with several environment checks:
- Debugger detection: It uses the IsDebuggerPresent Windows API to determine if a debugger is attached.
- Process analysis: It verifies that a minimum number of active processes are running.
- CPU validation: It checks for at least two cores on the system.
- Sandbox evasion: It scans for malware analysis or virtualization software in running processes.
If these checks are satisfied, the malware displays a fake error message before continuing its operations.
Once the evasion checks are complete, the downloader retrieves configuration data from a remote server, downloads the XMRig miner from GitHub, and executes it. The cryptominer is extracted into the %TEMP%\System\ directory and set up for persistence by:
- Dropping a batch script into the Start Menu Startup directory.
- Creating a Windows Registry logon autostart entry
The malware then begins cryptomining operations, utilizing the victim’s system resources to generate cryptocurrency for the attackers.
Phishing campaigns continue to evolve, exploiting trusted brands like CrowdStrike to deceive unsuspecting individuals. By remaining vigilant and employing robust security measures, both job seekers and organizations can mitigate the risks of such sophisticated scams.
Related Posts:
- Log4j Campaign Exploited to Deploy XMRig Cryptominer
- Critical TeamCity Flaws Exploited: Ransomware, Cryptominers, and More Target Businesses
- Linux Users Hit by CrowdStrike Fallout: Kernel Panics Reported
- CrowdStrike Data Leak Claims Spark Concern, Hacktivist Credibility Questioned
