Cybersecurity company CrowdStrike is alerting of a phishing campaign that exploits its own branding to distribute a cryptocurrency miner that’s disguised as an employee CRM application as part of a supposed recruitment process.
“The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website,” the company said. “Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig.”
The Texas-based company said it discovered the malicious campaign on January 7, 2025, and that it’s “aware of scams involving false offers of employment with CrowdStrike.”
The phishing email lures recipients by claiming that they have been shortlisted for the next stage of the hiring process for a junior developer role, and that they need to join a call with the recruitment team by downloading a customer relationship management (CRM) tool provided in the embedded link.
The downloaded binary, once launched, performs a series of checks to evade detection and analysis prior to fetching the next-stage payloads.
These checks include detecting the presence of a debugger and scanning the list of running processes for malware analysis or virtualization software tools. They also ensure that the system has a certain number of active processes and the CPU has at least two cores.
Should the host satisfy all the criteria, an error message about a failed installation is displayed to the user, while covertly downloading the XMRig miner from GitHub and its corresponding configuration from another server (“93.115.172[.]41”) in the background.
“The malware then runs the XMRig miner, using the command-line arguments inside the downloaded configuration text file,” CrowdStrike said, adding the executable establishes persistence on the machine by adding a Windows batch script to the Start Menu Startup folder, which is responsible for launching the miner.
Fake LDAPNightmare PoC Targets Security Researchers
The development comes as Trend Micro revealed that a fake proof-of-concept (PoC) for a recently disclosed security flaw in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP) – CVE-2024-49113 (aka LDAPNightmare) – is being used to lure security researchers into downloading an information stealer.
The malicious GitHub repository in question – github[.]com/YoonJae-rep/CVE-2024-49113 (now taken down) – is said to be a fork of the original repository from SafeBreach Labs hosting the legitimate PoC.
The counterfeit repository, however, replaces the exploit-related files with a binary named “poc.exe” that, when run, drops a PowerShell script to create a scheduled task to execute a Base64-encoded script. The decoded script is then used to download another script from Pastebin.
The final-stage malware is a stealer that collects the machine’s public IP address, system metadata, process list, directory lists, network IP addresses, network adapters, and installed updates.
“Although the tactic of using PoC lures as a vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” security researcher Sarah Pearl Camiling said.
