Summary:
CrowdStrike has issued a warning about a phishing campaign targeting job seekers by impersonating the company. Discovered on January 7, 2025, the campaign involves fake job offer emails from a supposed CrowdStrike recruiter, thanking recipients for applying for a developer position. The emails encourage recipients to download a supposed "employee CRM application" from a fraudulent website, designed to look like a legitimate CrowdStrike portal. This malicious link leads to a site (cscrm-hiring[.]com) where victims are tricked into downloading a Monero cryptocurrency miner (XMRig) disguised as the employee CRM application for both Windows and macOS.

The downloaded tool conducts sandbox checks to confirm it's not running within in a virtual environment. This is done by checking several factors such as the process number, CPU core count, and the presence of debuggers. Once a suitable system is identified, the tool will proceed to display a fake error message about a corrupt installer while silently downloading a configuration file containing the necessary settings to run the XMRig cryptocurrency miner.

“The miner is set to run in the background, consuming minimal processing power (max 10%) to avoid detection. A batch script is added in the Start Menu Startup directory for persistence between reboots, while a logon autostart key is also written in the registry” (Bleeping Computer, 2025)


Security Officer Comments:
While the latest phishing campaign has not been linked to a specific threat group, the use of fake job offer emails is a tactic commonly associated with North Korean groups like Lazarus, which have previously employed this method to steal cryptocurrency from targeted victims.


Researchers have found that the miner is hosted on a GitHub repository, which is then downloaded and installed as a ZIP file once the victim attempts to download the "employee CRM application." Overall, GitHub’s widespread popularity as a free platform for hosting code and files makes it an attractive choice for attackers, as it is less likely to trigger security alerts, allowing them to bypass detection systems.


Suggested Corrections:
Job seekers should verify that they are communicating with a legitimate recruiter by checking the email address for the official company domain and contacting the recruiter through the company's official website. They should be cautious of urgent requests, offers that seem too good to be true, or invitations to download executable files, as employers typically do not ask candidates to download third-party applications or make upfront payments during the interview process. Endpoint security solutions should also be updated to detect and block cryptocurrency miners and other malicious payloads. Additionally, regular system scans, along with monitoring for unusual processes and registry changes, can help identify and remove infections. Lastly, enforcing the use of multi-factor authentication and ensuring the integrity of software installations can reduce the likelihood of successful attacks.


IOCs:
https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/

Link(s):

https://www.bleepingcomputer.com/news/security/fake-crowdstrike-job-offer-emails-target-devs-with-crypto-miners/