In a recent warning issued by Crowdstrike, it has come to light that cryptojackers are utilizing deceptive tactics, impersonating the cybersecurity company via email in order to trick developers into unknowingly installing the XMRig cryptocurrency miner on their Windows PCs.
The strategy employed by the cybercriminals behind this malicious scheme hinges on the assumption that some of their targets may have previously applied for a job at Crowdstrike, or at the very least, believe that they have. Leveraging Crowdstrike’s web page where job openings are listed, the phishing email impersonates the company and prompts the potential victim to download a desktop app purportedly for scheduling an interview.
The email directs the recipient to a Crowdstrike-branded site where they are instructed to download a supposedly legitimate Windows or macOS version of the “new applicant and employee CRM app.” However, the reality is far from what it seems, as both download buttons trigger the downloading of the same nefarious executable, which specifically targets Windows systems.
Upon running the downloaded ZIP file, an executable is deployed that conducts several checks on the target system, including scanning for debugging tools, malware analysis software, virtualization tools, and specific CPU and active processes requirements. If the conditions are met, a fake error message is displayed to distract the user, while in the background, the XMRig cryptocurrency miner is downloaded from GitHub along with a text configuration file.
Once the miner is installed and configured, the executable creates a duplicate copy and inserts a new Windows Registry logon autostart key to ensure the miner runs each time the system is restarted. Notably, the miner operates stealthily, utilizing minimal CPU resources to evade detection.
This incident underscores the vulnerability of users to exploitation through job offers or enticing interview opportunities, a tactic commonly employed by cryptojackers, scammers, malware distributors, and even state-sponsored APT groups seeking unauthorized access to organizations. Crowdstrike has specifically highlighted the prevalence of fraudulent job offers associated with the company, cautioning individuals against falling victim to these deceitful tactics.
The company emphasized that they do not conduct interviews via instant messaging or group chats, nor do they require candidates to make purchases, process payments, or download software during the recruitment process. Stressing the importance of staying vigilant against phishing scams, particularly those targeting job seekers, Crowdstrike urged individuals to verify the authenticity of communications from the company and refrain from downloading unsolicited files.
In conclusion, the threat posed by cybercriminals leveraging sophisticated social engineering tactics to deceive unsuspecting individuals remains prevalent, underscoring the critical need for enhanced cybersecurity awareness and proactive measures to safeguard against such nefarious activities. It serves as a stark reminder for individuals to exercise caution and verify the legitimacy of all communications and requests, especially in the context of job offers and recruitment processes.