Cybersecurity firm CrowdStrike warns of fake job offers spreading XMRig miner

CrowdStrike has warned of a new phishing campaign that mimics the onboarding process to trick Monero miners into submission via a fake app download.

Global cybersecurity provider CrowdStrike has detected a phishing campaign leveraging recruitment emails to distribute malicious Monero (XMR) mining software.

The Austin-based firm explained in a blog post that the scam uses fake job offers to trick people into downloading an app that installs the XMRig miner on their systems. CrowdStrike says phishing emails mimic the recruitment process and direct victims to a fake website. There, they are asked to download a “working CRM app,” which is essentially the crypto miner’s downloader.

“The attack begins with a phishing email that impersonates CrowdStrike recruitment and redirects recipients to a malicious website. “Victims are asked to download and run a fake app that acts as a downloader for the crypto miner XMRig.”

CrowdStrike

CrowdStrike explained that the downloaded file checks the victim’s system to avoid detection. “If these checks are successful, the executable will display a fake error message pop-up before continuing,” the company said. After that, the malicious application downloads and installs the XMRig miner.

CrowdStrike says phishing site rented cscrm[.]com.tr, which hosts the fake CRM application, emphasizes that it never asks candidates to download software during the recruitment process and urges job seekers to be careful.

The latest campaign is another reminder that crypto scams can emerge behind fake job offers. A similar incident occurred during the 2022 Ronin Network hack, in which North Korean state-sponsored hacking collective Lazarus Group tricked an employee with a phishing email into opening a malicious PDF file, leading to the theft of more than $600 million in cryptocurrencies.