NEWS BRIEF
Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims’ devices.
This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.
The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported “CRM application.”
“While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme,” said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. “The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike.”
Malicious Recruiter Lures Target Both Windows & Mac
The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.
The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.
If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.
CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that’s circulating out there.
It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting [email protected].
“It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process,” Caldwell noted. “Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website.”
