Cross-chain protocols and Web3 firms continue to be targeted by hacking groups, as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.
deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled “New Salary Adjustments” was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.
A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.
The co-founder delved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Friday, acting as a public service announcement for the wider cryptocurrency and Web3 community:
1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.
PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m
— deAlex (@AlexSmirnov__) August 5, 2022
Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to a zip archive with the normal PDF file Adjustments.pdf. However, Windows-based systems are at risk as Smirnov explained:
“The attack vector is as follows: user opens link from email, downloads & opens archive, tries to open PDF, but PDF asks for a password. User opens password.txt.lnk and infects the whole system.”
The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.
Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises
The deBridge team allowed the script to receive instructions but nullified the ability to execute any commands. This revealed that the code collects a swathe of information about the system and exports it to attackers. Under normal circumstances, the hackers would be able to run code on the infected machine from this point onward.
Smirnov linked back to earlier research into phishing attacks carried out by the Lazarus Group which used the same file names:
#DangerousPassword (CryptoCore/CryptoMimic) #APT:
b52e3aaf1bd6e45d695db573abc886dc
Password.txt.lnkwww[.]googlesheet[.]info – overlapping infrastructure with @h2jazi‘s tweet as well as earlier campaigns.
d73e832c84c45c3faa9495b39833adb2
New Salary Adjustments.pdf https://t.co/kDyGXvnFaz— The Banshee Queen Strahdslayer (@cyberoverdrive) July 21, 2022
2022 has seen a surge in cross-bridge hacks as highlighted by blockchain analysis firm Chainalysis. Over $2 billion worth of cryptocurrency has been fleeced in 13 different attacks this year, accounting for nearly 70% of stolen funds. Axie Infinity’s Ronin bridge has been the worst hit so far, losing $612 million to hackers in March 2022.
