• bitcoinBitcoin(BTC)$23,006.00-1.27%
  • ethereumEthereum(ETH)$1,570.48-2.54%
  • tetherTether(USDT)$1.00-0.06%
  • binancecoinBNB(BNB)$305.53-0.83%
  • rippleXRP(XRP)$0.409574-0.92%
  • cardanoCardano(ADA)$0.381827-1.32%
  • polkadotPolkadot(DOT)$6.38-3.20%
  • litecoinLitecoin(LTC)$88.04-0.93%
  • UniswapUniswap(UNI)$6.60-3.33%
  • Home
  • Coins
    • Bitcoin
    • Ethereum
  • Blockchain
  • Regulation
  • Mining
  • Guides
What's Hot
Aptos token logo

Why is Aptos Rising, and Should You Invest Now?

January 27, 2023
Binance coin BUSD logo

Token Mismanagement Causes Binance Stablecoin to Lose $2B in a Month

January 27, 2023
Bitcoin on some dollar bills spread out

Bitcoin Pumps Up, Aptos Hits All-time High — Is the Bull Market Back?

January 26, 2023
Facebook Twitter Instagram
Facebook
CryptovotCryptovot
  • Home
  • Coins
    • Bitcoin
    • Ethereum
  • Blockchain
  • Regulation
  • Mining
  • Guides
CryptovotCryptovot
Home»Most Featured»deBridge flags attempted phishing attack, suspects Lazarus Group
Most Featured

deBridge flags attempted phishing attack, suspects Lazarus Group

CryptoNewsBy CryptoNewsAugust 8, 20223 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp VKontakte Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cross-chain protocols and Web3 firms continue to be targeted by hacking groups, as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.

deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled “New Salary Adjustments” was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.

A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.

The co-founder delved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Friday, acting as a public service announcement for the wider cryptocurrency and Web3 community:

1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.

PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m

— deAlex (@AlexSmirnov__) August 5, 2022

Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to a zip archive with the normal PDF file Adjustments.pdf. However, Windows-based systems are at risk as Smirnov explained:

“The attack vector is as follows: user opens link from email, downloads & opens archive, tries to open PDF, but PDF asks for a password. User opens password.txt.lnk and infects the whole system.”

The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.

Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises

The deBridge team allowed the script to receive instructions but nullified the ability to execute any commands. This revealed that the code collects a swathe of information about the system and exports it to attackers. Under normal circumstances, the hackers would be able to run code on the infected machine from this point onward.

Smirnov linked back to earlier research into phishing attacks carried out by the Lazarus Group which used the same file names:

#DangerousPassword (CryptoCore/CryptoMimic) #APT:
b52e3aaf1bd6e45d695db573abc886dc
Password.txt.lnk

www[.]googlesheet[.]info – overlapping infrastructure with @h2jazi‘s tweet as well as earlier campaigns.

d73e832c84c45c3faa9495b39833adb2
New Salary Adjustments.pdf https://t.co/kDyGXvnFaz

— The Banshee Queen Strahdslayer (@cyberoverdrive) July 21, 2022

2022 has seen a surge in cross-bridge hacks as highlighted by blockchain analysis firm Chainalysis. Over $2 billion worth of cryptocurrency has been fleeced in 13 different attacks this year, accounting for nearly 70% of stolen funds. Axie Infinity’s Ronin bridge has been the worst hit so far, losing $612 million to hackers in March 2022.