"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of what’s going on, which helps us to make changes and recommendations for future plans."
IT Service Manager
Ian Harkess
Trusted by industry leaders
Are You Eligible For Free Funding?
Fill out the short form below to express your interest in our funded Microsoft security engagements, and we’ll be in touch soon.
Please note: A minimum of 300 Microsoft 365 enterprise licenses are required to meet basic eligibility requirements.
"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of what’s going on, which helps us to make changes and recommendations for future plans."
IT Service Manager
Ian Harkess
Trusted by industry leaders
Kickstart Your FastTrack Journey
Fill out the short form below to express your interest in our FastTrack programme, and we’ll be in touch soon.
Please note: A minimum of 150 enterprise licenses is required for FastTrack eligibility.
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
IT Operations Manager
Simon Darley
Trusted by industry leaders
Let's Talk
Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
Who is DEV-0538? This is the name given by Microsoft Threat Intelligence to a threat group they are tracking who tend to specialise in targeting recruitment staff.
"DEV-0538 is an emerging, financially motivated, cybercriminal group that has been observed targeting recruiters or other individuals via job application websites."
Hackers Targeting Recruiters
Are you a recruiter or hiring for a vacancy within your business?
Do you receive CV’s on a regular basis from potential candidates for the job roles you are promoting?
If you answered ‘yes’ to either of those, then you may want to pay attention to this article.
In this Article I will cover:
What is DEV-0538?
What to look out for?
How They Operate (More technical — contains screenshots)
Summary
IOCs
Sandbox Reports
WHAT IS DEV-0538?
Firstly, what, or who, is DEV-0538? This is the name given by Microsoft Threat Intelligence to a threat group they are tracking who tend to specialise in targeting recruitment staff.
Threat Intelligence on this group is very limited to the public right now and there is currently no direct mapping of DEV-0538 to any threat actors listed within Mitre Att&ck, but what we do know is:
“DEV-0538 is an emerging, financially motivated, cybercriminal group that has been observed targeting recruiters or other individuals via job application websites. They send phishing emails with an attachment containing hyperlinks, or the hyperlinks in the email body that lead to landing pages that serve their malware payloads to targets. Follow-on actions observed from DEV-0538 compromises include lateral movement, data exfiltration, and extortion of victims.”
–Microsoft
WHAT TO LOOK OUT FOR?
As a recruiter, some of the key details you will need to remain vigilant for are as follows (please note that mileage may vary here):
Suspicious blank LinkedIn pages with minimal content such as profile pictures, banners, or previous job experience
Is the ‘CV’ Blank only containing a hyperlink to their “personal website” where you must go to download the “latest copy” of their CV?
If you have gone as far as to click the link, the site itself in most cases, will be named after the user on LinkedIn
Before downloading the file, you will need to complete a CAPTCHA.
If you have downloaded files and they are not in the usual document formats of .PDF, .DOCX etc — DO NOT OPEN THEM…
If the file downloaded contains the likes of a .LNK, EXE, .JS, .VBS, .VBA extension, DELETE THE FILE immediately and report it to your security team as soon as possible.
More examples can be seen towards the bottom of the Article.
HOW DEV-0538 OPERATEs
For the benefit of other security professionals, here I want to detail how these types of intereactions may manifest.
To begin with, the threat actors will create a fake LinkedIn account which they will use to send their “application” for job postings for a target organisation.
Fake LinkedIn page used by Threat Actor
Next, they will send a PDF document (format may vary) to the recruiter, or individual who is hiring. This document may be completely blank and will contain a hyperlink to their ‘personal website’ which will be named after the LinkedIn account they submitted the document from.
Email Received by Recruiter
Contents of the PDF — Sophia+Lagoon+CV.pdf
In this example, the actor created the online persona of Sophia Lagoon, with the website of https[://]sophia-lagoon[.]net. Depending on the sophistication, funding and resources the actor has, they will create very convincing websites which to the untrained eye will look completely legitimate. Following this, the victim is prompted to complete a CAPTCHA in order to download the candidate’s CV. This is their delivery method. Again as I’ve mentioned in other articles, this use of a CAPTCHA prevents security tools which may use static detection, from identifying and flagging the malicious download as this often requires human interaction to bypass. This is why end user training and remaining vigilant is so important regardless of your job title.
Landing page to download the “candidate’s CV” — Note the CAPTCHA to evade static detection
In some cases they may send malicious documents with embedded macros which will no doubt be detected and blocked, alternatively, policies blocking the use of macros in office documents will prevent the execution of any malicious code within the document.
After completing the CAPTCHA challenge, a countdown and download will commence. In this case, the file the victim would download is called “Sales Manager.zip”. This zip folder contains two files:
Education and Experience.lnk
Lic.jpg
Sales Manager.zip being downloaded after completing Captcha Challenge
Education and Experience.lnk with Lic.jpg
Lic.jpg
Payload executed by CMD on opening .lnk file
SUMMARY
To summarise, DEV-0538 are a threat group known to Microsoft Threat Intelligence for targeting recruiters by posing as potential candidates for open job vacancies. The actors send malicious documents masqueraded as a candidate’s resume in order to phish their victim into downloading a malicious payload granting them initial access into a target network. From here, the malicious actors will continue to move laterally, establish persistence within a network and carry out their objectives where possible.
Below are a number of reports from sandbox solutions Joe Sandbox and AnyRun for anyone interested in looking into this further on their own. If you have any questions, please feel free to reach out!
Want to stay at the forefront of cyber security? Make sure to sign up to our Newsletter Access Granted and gain monthly updates directly from our team.
This website uses cookies. By using this site you agree to our use of cookies. We use cookies to enhance your experience. To understand the specific cookies we use and how we handle your data, see out Cookie Policy, Privacy Policy and Terms & Conditions. Mange your preferences at any time by clicking the 'View Preferences' button.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
