Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Malware

Cybercriminals are impersonating CrowdStrike recruiters to distribute a cryptominer on victim devices.

CrowdStrike said it identified phishing campaign exploiting its recruitment branding on January 7.

The campaign starts with a phishing email, which purports to part of the cybersecurity firm’s recruitment process. The email invites the target to schedule an interview for a junior developer role.

The email contains a link claiming to take the recipient to a site where they can schedule their interview.

This routes the victim to a malicious phishing site containing download links for a fake “CRM application,” with separate links for Windows and macOS.

Regardless of which of these options are selected, the user will download a Windows executable written in Rust. This executable functions as a downloader for XMRig, a cryptominer.

The downloaded executable performs several environment checks designed to evade detection and analyze the infected device. These include scanning the list of running processes for common malware analysis or virtualization software tools, verifying that the central processing unit has at least two cores and detecting if a debugger is attached to the process using the IsDebuggerPresent Windows API.

If these checks are passed, the executable displays a fake error message pop-up before proceeding to download additional payloads to achieve persistence and run the XMRig miner.

Cryptominers are malicious software designed to hijack a computer’s processing power in order to mine cryptocurrency.

Cryptomining can cause affected devices to overheat, resulting in damage and shortening device lifespan.

CrowdStrike Warns Job Seekers to be Vigilant

CrowdStrike said it is aware of other scams involving false offers of employment. These scams typically involve the use of fake websites, email addresses, group chats and text messages.

The vendor set out advice for job seekers to avoid falling victim to fake CrowdStrike interview and recruitment scams:

• Interviews that claim to be carried out via instant message or group chat
• Being asked to purchase products or services, or process payments as a condition of any employment offer
• Being asked to download software for interviews
• Individuals in the recruitment process should verify the authenticity of CrowdStrike communications by contacting recruiting@crowdstrike.com
• Those interested in applying for a role at the company should use CrowdStrike’s official Careers page to learn about job openings and use the official application process