If these checks are passed, the executable displays a fake error message pop-up before continuing.
Catching the ghost in the machine: Adapting threat detection to cloud speed
January 11, 2025
Why Private AI is becoming the preferred choice for enterprise AI deployment
January 12, 2025Recruitment Phishing Scam Imitates CrowdStrike Hiring Process
A newly discovered phishing campaign uses CrowdStrike recruitment branding to convince victims to download a fake application, which serves as a downloader for the XMRig cryptominer.
On January 7, 2025, CrowdStrike uncovered a phishing campaign that misused its recruitment branding to distribute malware disguised as an "employee CRM application." The campaign starts with phishing emails impersonating CrowdStrike's recruitment team, luring recipients to a fraudulent website. There, victims are encouraged to download and execute a counterfeit application, which functions as a downloader for the XMRig cryptominer.
How the Scam Works
Figure 1. Initial phishing email
Figure 2. Impersonated malicious phishing site containing download links for fake “CRM application”
Figure 3. Fake error message following evasion checks
This file contains configuration information for XMRig in the form of command-line arguments that can be appended to a call to the XMRig miner executable.
Once the basic environment checks are completed and the fake error message is displayed, the executable proceeds to download a text file from the URL:
The executable then downloads a copy of XMRig from GitHub, from the URL:
The downloaded ZIP file is saved to the following path:
The executable extracts the contents of the ZIP file into the %TEMP%\System\ directory and copies the main XMRig executable to the path:
The malware then runs the XMRig miner, using the command-line arguments inside the downloaded configuration text file:
The executable establishes persistence via the following methods:
Drops a Windows batch script to the Start Menu Startup directory, at this path:
This batch script executes a dropped copy of the downloaded miner, located at:
The downloaded executable performs several environment checks to evade detection and analysis before downloading additional payloads. These checks include:
- Detecting if a debugger is attached to the process using the IsDebuggerPresent Windows API
- Ensuring the system has a minimum number of active processes
- Verifying that the CPU has at least two cores
- Scanning the list of running processes for common malware analysis or virtualization software tools, avoiding execution in sandboxed or monitored environments
The contents of the batch script are the following:
The batch script writes a new Windows Registry logon autostart key, located at:
This logon autostart entry executes a dropped copy of the original malicious downloader, located at:
This campaign highlights the importance of vigilance against phishing scams, particularly those targeting job seekers. Individuals in the recruitment process should verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files. Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.
Outside of this campaign, we are aware of scams involving false offers of employment with CrowdStrike. Fraudulent interviews and job offers use fake websites, email addresses, group chats and text messages. We do not interview prospective candidates via instant message or group chat, nor do we require candidates to purchase products or services, or process payments on our behalf, as a condition of any employment offer. And, in reference to the campaign detailed above, we do not ask candidates to download software for interviews.
Those interested in applying for a role at CrowdStrike should navigate to our Careers page to learn about our job openings and begin our official application process. To verify the authenticity of CrowdStrike recruitment communications, please reach out to recruiting@crowdstrike.com.