โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

ENQUIRY - Contact Popup DEPRECIATED (#3)

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

DEV-0538 | Hackers Targeting Recruiters

Published: May 16, 2023
Updated: May 29, 2024
Expert: Joe .F
Role: Senior Cyber Security Analyst
Specialises in: Security Operations
What you will learn:
Who is DEV-0538? This is the name given by Microsoft Threat Intelligence to a threat group they are tracking who tend to specialise in targeting recruitment staff.
"DEV-0538 is an emerging, financially motivated, cybercriminal group that has been observed targeting recruiters or other individuals via job application websites."

Hackers Targeting Recruiters

Are you a recruiter or hiring for a vacancy within your business?

Do you receive CVโ€™s on a regular basis from potential candidates for the job roles you are promoting?

If you answered โ€˜yesโ€™ to either of those, then you may want to pay attention to this article.

In this Article I will cover:

  • What is DEV-0538?
  • What to look out for?
  • How They Operate (More technical โ€” contains screenshots)
  • Summary
  • IOCs
  • Sandbox Reports

WHAT IS DEV-0538?

Firstly, what, or who, is DEV-0538? This is the name given by Microsoft Threat Intelligence to a threat group they are tracking who tend to specialise in targeting recruitment staff.

Threat Intelligence on this group is very limited to the public right now and there is currently no direct mapping of DEV-0538 to any threat actors listed within Mitre Att&ck, but what we do know is:

โ€œDEV-0538 is an emerging, financially motivated, cybercriminal group that has been observed targeting recruiters or other individuals via job application websites. They send phishing emails with an attachment containing hyperlinks, or the hyperlinks in the email body that lead to landing pages that serve their malware payloads to targets. Follow-on actions observed from DEV-0538 compromises include lateral movement, data exfiltration, and extortion of victims.โ€

Microsoft

WHAT TO LOOK OUT FOR?

As a recruiter, some of the key details you will need to remain vigilant for are as follows (please note that mileage may vary here):

  • Suspicious blank LinkedIn pages with minimal content such as profile pictures, banners, or previous job experience
  • Is the โ€˜CVโ€™ Blank only containing a hyperlink to their โ€œpersonal websiteโ€ where you must go to download the โ€œlatest copyโ€ of their CV?
  • If you have gone as far as to click the link, the site itself in most cases, will be named after the user on LinkedIn
  • Before downloading the file, you will need to complete a CAPTCHA.
  • If you have downloaded files and they are not in the usual document formats of .PDF, .DOCX etc โ€” DO NOT OPEN THEMโ€ฆ
  • If the file downloaded contains the likes of a .LNK, EXE, .JS, .VBS, .VBA extension, DELETE THE FILE immediately and report it to your security team as soon as possible.
  • More examples can be seen towards the bottom of the Article.

HOW DEV-0538 OPERATEs

For the benefit of other security professionals, here I want to detail how these types of intereactions may manifest.

To begin with, the threat actors will create a fake LinkedIn account which they will use to send their โ€œapplicationโ€ for job postings for a target organisation.

Fake LinkedIn page used by Threat Actor

Next, they will send a PDF document (format may vary) to the recruiter, or individual who is hiring. This document may be completely blank and will contain a hyperlink to their โ€˜personal websiteโ€™ which will be named after the LinkedIn account they submitted the document from.

Email Received by Recruiter

Contents of the PDF โ€” Sophia+Lagoon+CV.pdf

In this example, the actor created the online persona of Sophia Lagoon, with the website of https[://]sophia-lagoon[.]net. Depending on the sophistication, funding and resources the actor has, they will create very convincing websites which to the untrained eye will look completely legitimate. Following this, the victim is prompted to complete a CAPTCHA in order to download the candidateโ€™s CV. This is their delivery method. Again as Iโ€™ve mentioned in other articles, this use of a CAPTCHA prevents security tools which may use static detection, from identifying and flagging the malicious download as this often requires human interaction to bypass. This is why end user training and remaining vigilant is so important regardless of your job title.

Landing page to download the โ€œcandidateโ€™s CVโ€ โ€” Note the CAPTCHA to evade static detection

In some cases they may send malicious documents with embedded macros which will no doubt be detected and blocked, alternatively, policies blocking the use of macros in office documents will prevent the execution of any malicious code within the document.

After completing the CAPTCHA challenge, a countdown and download will commence. In this case, the file the victim would download is called โ€œSales Manager.zipโ€. This zip folder contains two files:

  • Education and Experience.lnk
  • Lic.jpg

Sales Manager.zip being downloaded after completing Captcha Challenge

Education and Experience.lnk with Lic.jpg

Lic.jpg

Payload executed by CMD on opening .lnk file

SUMMARY

To summarise, DEV-0538 are a threat group known to Microsoft Threat Intelligence for targeting recruiters by posing as potential candidates for open job vacancies. The actors send malicious documents masqueraded as a candidateโ€™s resume in order to phish their victim into downloading a malicious payload granting them initial access into a target network. From here, the malicious actors will continue to move laterally, establish persistence within a network and carry out their objectives where possible.

INDICATORS OF COMPROMISE

File: Sophia+Lagoon+CV.pdf
Hash: 9BE7E15234E9C9769076280B8FCAE753A649E44B3E0DF82AE2EDF275039E74E0
Virus Total:
https://www.virustotal.com/gui/file/9be7e15234e9c9769076280b8fcae753a649e44b3e0df82ae2edf275039e74e0/detection

File: ie4uinit.exe
Hash: c989cdcac84546c25258b480bee6d2f7ed27d41cb4538428be1649f522e4acdc
Virus Total: https://www.virustotal.com/gui/file/72daf26f6e15058a9fc47f3ba2bae13f5c3129b97c70ff484906a25e0ce7273b/relations

File: E4UINIT.EXE (different to above)
Hash: 72daf26f6e15058a9fc47f3ba2bae13f5c3129b97c70ff484906a25e0ce7273b
Virus Total: https://www.virustotal.com/gui/file/72daf26f6e15058a9fc47f3ba2bae13f5c3129b97c70ff484906a25e0ce7273b/relations

File: Education and Experience.lnk
Hash: 930506fba48983058ac1320684a8ab9d372d7d83265806fe995c6895964b3484
Virus Total: https://www.virustotal.com/gui/file/930506fba48983058ac1320684a8ab9d372d7d83265806fe995c6895964b3484/detection

IP Address: 142.11.222.59
Shodan: https://www.shodan.io/host/142.11.222.59

Domain: sophia-lagoon[.]net

URL: hxxps[://]sophia-lagoon[.]net/Sales-Manager

SANDBOX REPORTS:

Below are a number of reports from sandbox solutions Joe Sandbox and AnyRun for anyone interested in looking into this further on their own. If you have any questions, please feel free to reach out!

Joe Sandbox | Education and Experience.lnk.zip

Automated Malware Analysis โ€” Joe Sandbox Cloud Basic

Joe Sandbox | CV-David Rolls.lnk (Similar Payload)

Automated Malware Analysis Report for CV โ€” David Rolls.lnk โ€” Generated by Joe Sandbox

Anyrun | Sophia-lagoon[.]net/Sales-Manager

https://sophia-lagoon.net/sales-manager โ€” Interactive analysis โ€” ANY.RUN

AnyRun | IE4UINIT.EXE

ie4uinit.exe (MD5: ACA03178C248B32343B03F4B9ACCE1B9) โ€” Interactive analysis โ€” ANY.RUN

AnyRun | Education and Experience.lnk.zip

https://app.any.run/tasks/6732da67-85cb-42bb-a279-9b195ee0e76a/


Want to stay at the forefront of cyber security? Make sure to sign up to our Newsletter Access Granted and gain monthly updates directly from our team.

Our latest expert Intel