A recent cybersecurity alert has revealed that fake CrowdStrike recruiters are distributing malware through phishing emails, tricking victims into downloading a malicious executable that installs a cryptocurrency miner. This scam uses a fake recruitment domain to lure job seekers. Affected: CrowdStrike, job seekers, cryptocurrency mining sector
Keypoints :
- Fake CrowdStrike recruiters are distributing malware via phishing emails.
- The phishing emails direct victims to a fraudulent domain: https://cscrm-hiring.com/.
- Victims are prompted to download a malicious file named cs-applicant-crm-installer.exe.
- The file installs XMRig, a cryptocurrency miner that hijacks system resources to mine Monero (XMR).
- The malware generates fake error messages to evade detection.
- It downloads configuration files and executable files from malicious URLs.
- The malware establishes persistence through scheduled tasks and registry modifications.
- Indicators of Compromise (IoCs) include specific MD5 hashes, IP addresses, and domains.
- Mitigation strategies include blocking malicious domains, scanning for malware, and educating employees.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malware communicates with a remote server using HTTP.
- T1047: Windows Management Instrumentation – The malware establishes persistence by creating scheduled tasks.
- T1059.001: Command and Scripting Interpreter: PowerShell – The malware executes commands to run the XMRig miner.
- T1203: Exploitation for Client Execution – The phishing email exploits user trust to execute the malicious file.
- T1486: Data Encrypted for Impact – The malware uses system resources to mine cryptocurrency without user consent.
Indicator of Compromise :
- [file hash] 7d6b277566cd13c79fc985cd532837ae
- [url] http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt
- [domain] cscrm-hiring.com
- [ip address] 93.115.172.41
- [email] support@cscrm-hiring.com
- Check the article for all found IoCs.