Thought Leadership
CrowdStrike warns of a sophisticated phishing campaign targeting potential applicants. The attackers are disguising an XMRig cryptominer as a supposed CRM application for the application process.
The cybersecurity provider discovered the scam on January 7. The perpetrators send fake recruiting emails in which they promise recipients a position as a junior developer. The victims are supposed to download special CRM software for an alleged job interview.
Sophisticated camouflage strategy
Disguised as a CRM, the malware first carries out various checks after launch to make analysis more difficult. For example, it searches for debugging tools or virtualization software and checks the number of running processes and available CPU cores.
If these checks are successful, the program fakes a failed installation. At the same time, it downloads the XMRig miner from GitHub in the background and obtains the associated configuration from a separate server at the address 93.115.172[.]41.
Automatic restart set up
The malware sets up a Windows batch script in the autostart folder in order to embed itself permanently in the system. This ensures that the mining process is automatically resumed after each system start.
CrowdStrike emphasizes that this is not the first attempt at fraud of this kind. The company has been observing scams in which false job offers are sent out in the name of CrowdStrike for some time now. The cybersecurity provider therefore advises users to be particularly wary of unexpected job offers inviting them to download software.
