A Curious Case of a Job Recruiter and a Potentially Malicious Document
I’m writing this short blog because I recently received a message from a recruiter for a job opportunity. It looked legit at first, until a few things starting looking odd. So I wanted to share a quick rundown of what I saw, which I hope readers could learn a thing or two, to help curb/prevent whatever these actors are aiming to achieve.
TL;DR
- A “recruiter” on LinkedIn (with Premium Subscription) reached out to me over InMail for a job opportunity; “recruiter” appears to represent a known consumer electronics company
- The profile bore no profile photo, has very few to almost zero connections, and has virtually non-existent social activities
- This “recruiter” provided a local phone number and a corporate email address; email address appears to be a valid corporate email of the company this “recruiter” is allegedly representing
- “Recruiter” appears to be impersonating 2 other recruiters from the same company it was allegedly representing
- “Recruiter” included a suspicious Word document; compared to other documents from other recruiters I’ve sent to sandboxes for analyses, this hit a signature match (a medium-rated Sigma rule for
SVCHOST Spawning Office Application) - If indeed malicious, this might be aimed at either the target candidate(s) (victim) alone, or more worryingly, the organization the target works for (where the victim would potentially be viewing the attachment from their corporate computers)
What Happened
On Thursday night, I received this LinkedIn message:
It looks really harmless, until a few odd things stood out: no profile photo and no headline information (i.e. that blurb under the profile photo, which was -- for this profile). Although, yes, both the profile photo and the headline blurb visibility can be toggled, from a professional point of view of recruiters reaching out to a potential candidates, these to me are red flags. Why keep these private, right?
Since I didn’t want to dismiss this completely without doing some due diligence, I poked around further on this recruiter’s profile.
Ahh, the recruiter is LinkedIn Premium subscribed, must be legit right? (Take note, LinkedIn offers free trial for their Premium subscription.) Let’s check their activities.
Hold on… isn’t it odd that the profile didn’t have any connections? And has 0 activities? Again, visibility controls can be applied to these too, but wouldn’t it be counterintuitive for a recruiter have a tightly controlled profile, especially when they also are indirect brand ambassadors for the companies they’re recruiting for?
These are probably not enough justification to completely dismiss the message as malicious, so I went back to the original message, then it hit me..
The fake recruiter’s name on the LinkedIn profile was different from the name from the message’s signature and contact details! The recruiter’s profile name mentions a certain V* S* while the message’s signature and contact details mentions of a certain V* E* with what appears to be a legit email address of v*e*@legitcompany.tld.
So, I researched further and as it turned out, the 2 names used by this dubious recruiter profile are in fact both real persons working as real recruiters for the real company the fake recruiter is pretending to be from.
Here’s the LinkedIn profile of the real recruiter V* S* (aka Person 1):
Here’s the LinkedIn profile of the 2nd real recruiter V* E* (aka Person 2):
The attached Word document bore a random person’s name in the filename: JD_Threat Detection Engineer_<somerandosname>.docx
Next Steps
I’ve already submitted the sample to sandboxes, but unfortunately, analyses are inconclusive, with a signature match for SVCHOST Spawning Office Application. I would probably need to find time to poke around further (but in case, feel free to reach out to me if you need additional details on attachment, profiles, etc.) Additionally, I’m attempting to reach out to the actual recruiters from that company to report of this situation.
Conclusion
As layoffs continually hit multiple companies in multiple sectors, it’s no surprise that malicious actors could be attempting to take advantage on this unfortunate time to prey on unsuspecting targets.
This wouldn’t be the first time malicious actors have launched campaigns using fake lures for actual open positions on real companies. Back in 2020, ESET initially uncovered “Operation In(ter)ception” by the Lazarus group, initially reported to be targeting aerospace and military industries, but recent campaigns observed a shift to targets in the financial services.
It’s worth noting that I’m not trying to establish a connection between that campaign and my encounter with this “recruiter”. This is more of a warning that we should always exercise caution when dealing with these messages especially in these desperate times.
