Hacking groups continue to target cross-chain protocols and Web3 companies as deBridge Finance dismantles a failed attack bearing the hallmarks of North Korea’s Lazarus Group hacker.
deBridge Finance employees received what looked like another regular email from co-founder Alex Smirnoff on Friday afternoon. The appendix called “New Salary Adjustments” was supposed to spark interest, as several crypto companies have laid off employees and cut wages during the ongoing crypto winter.
A few employees flagged the email and its attachment as suspicious, but one employee took the bait and downloaded the PDF. This would be in luck, as the deBridge team worked on offloading the attack vector sent from a spoofed email address designed to mirror the Smirnov address.
The founders shared the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on August 5, serving as a public service announcement for the cryptocurrency community and the broader Web3:
Smirnov’s team notes that the attack won’t infect macOS users, as attempts to open the link on a Mac lead to a zip archive using the regular PDF Adjustments.pdf file. However, systems running Windows are at risk as Smirnov explained:
“The attack vector is as follows: the user opens a link from the email, downloads and opens the archive, tries to open the PDF, but the PDF asks for a password. The user opens password.txt.lnk and infects the entire system.”
The text file causes damage, executing the cmd.exe command that scans the system for antivirus software. If the system is not protected, the malicious file will be saved to the Autorun folder and start contacting the attacker to receive instructions.
Related Topics: “Nobody Holds Them Down” – The Growing Threat Of North Korea’s Cyber Attacks
The deBridge team allowed the script to receive instructions but revoked the ability to execute any commands. This revealed that the code collects a wealth of information about the system and releases it to the attackers. Under normal circumstances, hackers will be able to run code on the infected device from this point on.
Smirnov has been linked to previous research on phishing attacks carried out by the Lazarus Group that used the same file names:
2022 saw a rise in bridging hacks as highlighted by blockchain analytics firm Chainalysis. More than $2 billion worth of cryptocurrency has been stolen in 13 different attacks this year, accounting for nearly 70% of the stolen funds. Axie Infinity’s Ronin Bridge has been the hardest hit so far – losing $612 million to hackers in March 2022.