Full Report
Cybersecurity company CrowdStrike is alerting of a phishing campaign that exploits its own branding to distribute a cryptocurrency miner that's disguised as an employee CRM application as part of a supposed recruitment process. "The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website," the company said. "Victims are prompted to
Analysis Summary
# Tool/Technique: XMRig Cryptocurrency Miner (via CrowdStrike Phishing Campaign)
## Overview
A cryptocurrency mining malware (XMRig) distributed via a sophisticated phishing campaign impersonating the cybersecurity company CrowdStrike's recruitment process. The initial lure involves victims downloading a fake CRM application that secretly deploys the miner.
## Technical Details
- Type: Malware family (Cryptominer)
- Platform: Windows (Implied by persistence mechanism)
- Capabilities: Evasion via analysis checks, covert download of miner, persistence via Startup folder.
- First Seen: January 7, 2025 (Discovery date by CrowdStrike)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by downloading a malicious binary)
- TA0005 - Defense Evasion
- T1055 - Process Injection (Potentially implied by covert execution)
- T1070 - Indicator Removal on Host (Implied by anti-analysis checks)
- T1070.004 - File Deletion
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Downloading payloads from GitHub/C2 server)
## Functionality
### Core Capabilities
- **Anti-Analysis/Evasion:** Detects debuggers, scans for malware analysis or virtualization software running processes, and verifies the system has a minimum number of active processes and at least two CPU cores.
- **Payload Delivery (Staged):** Downloads the XMRig miner executable from GitHub and its configuration file from a secondary server (93.115.172[.]41).
- **Execution:** Runs the XMRig miner using parameters defined in the downloaded configuration file.
- **Persistence:** Establishes persistence by adding a Windows batch script to the Start Menu Startup folder to relaunch the miner upon system boot.
### Advanced Features
- If anti-analysis checks fail, the sample displays a spurious "failed installation" error message to the user, hiding the malicious background activity.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Fake CRM application binary, XMRig miner executable, persistence batch script.
- Registry Keys: [Not provided in the text, but persistence occurs via Startup folder]
- Network Indicators: C2 source for configuration: `93.115.172[.]41`, Payload hosting observed on GitHub.
- Behavioral Indicators: Checking for multiple processes/CPU cores, writing batch files to the Startup directory, spawning XMRig processes.
## Associated Threat Actors
- Unspecified threat actor/group responsible for the spearphishing campaign.
## Detection Methods
- Signature-based detection: Signatures for the downloaded XMRig binary and the persistence script.
- Behavioral detection: Detection of applications performing integrity checks (debugger/VM detection) and creating auto-run entries in the Startup folder.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: Enhanced email gateway filtering, comprehensive user awareness training emphasizing recruitment verification procedures, especially for unsolicited job offers.
- Hardening recommendations: Disable execution of unauthorized binaries, restrict write access to system-critical folders (including the Startup directory), ensure security software (like CrowdStrike) is running and up-to-date to detect emulation/analysis attempts.
## Related Tools/Techniques
- XMRig (Standard Monero cryptocurrency mining software often abused by threat actors).
- Spearphishing (The initial delivery method).
***
# Tool/Technique: Fake LDAPNightmare PoC (CVE-2024-49113 related)
## Overview
A malicious package disguised as a proof-of-concept (PoC) exploit for the recently disclosed LDAP vulnerability (CVE-2024-49113 / LDAPNightmare). This lure targets security researchers to deploy an information stealer.
## Technical Details
- Type: Tool / Malware Loader (Information Stealer)
- Platform: Windows (Implied by PowerShell and scheduled task use)
- Capabilities: Delivery mechanism using cloned GitHub repositories, execution via downloaded binary leading to PowerShell execution, persistence via scheduled tasks, final payload is an information stealer.
- First Seen: [Not provided, context suggests shortly after CVE disclosure]
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.004 - Phishing: Spearphishing Link (Via malicious GitHub link)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.005 - Scheduled Task/Job
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied by Stealer functionality)
## Functionality
### Core Capabilities
- **Masquerading:** Cloning a legitimate PoC repository (from SafeBreach Labs) on GitHub to host malicious files.
- **Initial Execution:** A binary named "poc.exe" replaces the legitimate exploit code.
- **Staged Execution:** "poc.exe" drops and executes a PowerShell script.
- **Persistence:** The PowerShell script creates a scheduled task to run a subsequent Base64-encoded script.
- **Payload Retrieval:** The decoded script downloads the final information stealer payload from Pastebin.
### Advanced Features
- Sophisticated collection of system data by the final stealer payload.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: "poc.exe", final stealer binary.
- Registry Keys: [Not provided in the text]
- Network Indicators: Malicious GitHub repository: `github[.]com/YoonJae-rep/CVE-2024-49113` (now taken down), Pastebin URL for final payload.
- Behavioral Indicators: Creation of scheduled tasks, execution of Base64 encoded PowerShell scripts running from a file dropped by an executable named 'poc.exe'.
## Associated Threat Actors
- Unspecified threat actor leveraging trending security vulnerabilities to target researchers.
## Detection Methods
- Signature-based detection: Signatures for the specific dropper/stealer binaries.
- Behavioral detection: Monitoring for processes creating scheduled tasks or executing encoded commands in PowerShell originating from unexpected binaries (like "poc.exe").
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: Vetting all external Proof-of-Concept code, especially those found on non-official or highly suspicious branches of platforms like GitHub. Do not execute PoCs without manual review.
- Hardening recommendations: Restrict PowerShell execution policies, implement strong monitoring over scheduled task creation utilities.
## Related Tools/Techniques
- CVE-2024-49113 (LDAPNightmare) vulnerability exploitation.
- Information Stealers (General category of the final malware).