Cross-chain protocols and Web3 firms continue to be targeted by hacking groups as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.
deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled ‘New Salary Adjustments’ was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.
A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.
The co-founddelved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Aug. 5, acting as a public service announcement for the wider cryptocurrency and Web3 community:
1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m
Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to zip archive with the normal PDF file Adjustments.pdf. However Windows-based systems are at risk as Smirnov explained:
The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.
The deBridge team allowed the script to receive instructions but
Read more on cointelegraph.com