The “Lazarus Group,” a notorious North Korea-backed hacking syndicate, has been identified as the culprit of an attempted cyber-attack on deBridge Finance. The co-founder of the cross-chain protocol and project lead, Alex Smirnov, alleged that the attack vector was via an email wherein several team members received a PDF file named “New Salary Adjustments” from a spoofed address that mirrored the exec’s own.
While deBridge Finance managed to thwart the phishing attack, Smirnov warned that the fraudulent campaign is likely widespread targeting Web3-focussed platforms.
Attempted Attack on deBridge
According to a long Twitter thread by the exec, most team members immediately flagged the suspicious email, but one downloaded and opened the file. This helped them investigate the attack vector and understand its consequences.
Smirnov further explained that macOS users are safe, as opening the link on a Mac would lead to a zip archive with the normal PDF file Adjustments.pdf. On the other hand, Windows systems are not immune to the dangers. Instead, Windows users will be directed to an archive with a dubious password-protected pdf with the same name and an additional file named Password.txt.lnk.
The text file would essentially infect the system. As such, a lack of anti-virus software will help the malicious file to penetrate the machine and will be saved in the autostart folder, following which a simple script will start sending repetitive requests to communicate with the attacker in order to receive instructions.
“The attack vector is as follows: user opens a link from email -> downloads & opens archive -> tries to open PDF, but PDF asks for a password -> user opens password.txt.lnk and infects the whole system.”
The co-founder then urged the firms and their employees to never open email attachments without verifying the sender’s full email address and to have an internal protocol for how teams share attachments.
“Please stay SAFU and share this thread to let everyone know about potential attacks.”
Lazarus Attackers Targeting Crypto
The state-sponsored North Korean hacking groups are infamous for conducting financially motivated attacks. Lazarus, for one, carried out many high-profile attacks on crypto exchanges, NFT marketplaces, and individual investors with significant holdings. The latest attack appears to have a significant resemblance to previous ones conducted by the hacking syndicate.
Amid the COVID-19 outbreak, cyber-crimes led by Lazarus saw a massive uptrend. More recently, the group stole over $620 million from Axie Infinity’s Ronin bridge earlier this year.
In fact, reports also reveal that the country’s cyber program is large and well-organized despite being economically isolated from the rest of the world. As per multiple US government sources, these entities have also adapted to Web3 and are currently targeting the decentralized finance space.