2 min Security

Fake CrowdStrike job ads target developers

Fake CrowdStrike job ads target developers

CrowdStrike warns that a phishing campaign is mimicking the security company. The fake emails contain job postings to trick recipients into infecting themselves with a Monero cryptominer (XMRig).

The company discovered the malicious campaign on Jan. 7, 2025. Based on the content of the phishing email, it is likely that the campaign did not begin much earlier.

The attack begins with a phishing email that criminals send to job seekers. The email supposedly comes from a CrowdStrike employee. In it, they thank the recipient for applying for a developer position at the company.

Streamlining the onboarding process

The email instructs victims to download an employee CRM application from a website that looks like a legitimate CrowdStrike portal. The application is supposedly part of the company’s efforts to streamline the onboarding process.

Candidates who click on the embedded link are redirected to a website with links to download the application for Windows or macOS. The downloaded tool performs checks to determine if it is running in an analytics environment, such as checking the process number, the number of CPU cores and the presence of debuggers.

Fake error message

After completing these checks, the application generates a fake error message if the outcome is negative (i.e., the victim meets the infection criteria). In it, the attackers report that the installation file is probably corrupt.

In the background, the downloader retrieves a configuration text file with the necessary parameters to run XMRig.

It then downloads a ZIP archive containing the miner from a GitHub repository and extracts the files. The miner is set to run in the background and consumes only minimal processing power (10% maximum) to avoid detection. A batch script is added in the Startup folder of the Start menu for persistence between restarts, and an autostart key is written in the registry.

More details about the campaign and indicators of compromise can be found in CrowdStrike’s report.