North Korean Hacker Group Lazarus Attacked Crypto Platform, Co-Founder Claims
KEY POINTS
- deBridge Finance team members received a malicious ZIP file via email
- The file only affects Windows users, so macOS users remain safe
- When unzipped, the said file trigger a chain of events that leaks user info
North Korean hacker group Lazarus has attempted a cyber attack on deBridge, a generic messaging and cross-chain interoperability protocol, via a malicious file sent by email.
The said file is reportedly capable of extracting information from the host's device and sending it to the attacker.
Alex Smirnov, co-founder of deBridge Finance, took to Twitter on Aug. 6 to reveal that many of his team members reported receiving a PDF file called "New Salary Adjustments" from an email address spoofing mine which makes it difficult to track the sender of the mail.
1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.
— deAlex (@AlexSmirnov__) August 5, 2022
PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m
Smirnov believes the attack could be widespread in the crypto and Web3 space. "Most of the team members immediately reported the suspicious email, but one colleague downloaded and opened the file," he noted.
The co-founder added that they investigated the attempt and found that the malicious file will not affect macOS users. Moreover, opening the link will lead to a ZIP file containing a PDF file with the name "Adjustments.pdf."
However, when opened on a Windows machine, the ZIP will show files called "file Adjustments.pdf" and "Password.txt.lnk."
5/…while opening this link on Windows systems leads to an archive with password-protected pdf with the same name (md5: 0038…8bc4), and an additional file named Password.txt.lnk (md5: 2eaa…6a30) pic.twitter.com/QCHbAvi7kY
— deAlex (@AlexSmirnov__) August 5, 2022
"The attack vector is as follows: user opens link from email -> downloads & opens archive -> tries to open PDF, but PDF asks for a password -> user opens password.txt.lnk and infects the whole system," Smirnov explained.
Further investigations reportedly revealed that opening the password file alongside the PDF triggers a series of processes that leaks the username, OS info, CPU details and network adapters. The same step also can also run processes for the attacker.
Smirnov further said that "only a few anti-virus solutions mark these files as malicious," noting that files with the same names (but different hashes) have been noticed and attributed to Lazarus Group.
15/ According to the Twitter thread https://t.co/5YThfumjZD files with the same names (but different hashes) were noticed and attributed to Lazarus Group (North-Korean hackers).
— deAlex (@AlexSmirnov__) August 5, 2022
The co-founder then took the opportunity to remind Web3 and crypto investors and participants to be more cautious when dealing with files sent to them.
"Never open email attachments without verifying the sender's full email address, and have an internal protocol for how your team shares attachments!" he said.
Lazarus Group is also responsible for Axie Infinity's Ronin Bridge attack in which $620 million were drained from the Bridge.
© Copyright IBTimes 2024. All rights reserved.
-
More War Debris In Gaza Than Ukraine: UN
-
UK Confirms First Migrants Held For Rwanda Deportation Flights
-
Tesla To Cut Hundreds More Jobs In Musk Cost Push: Report
-
Microsoft Is Turning Into The 'Maestro' Of AI Transformation
-
NATO Chief Says Ukraine Can Still Win War Despite Russian Advances
-
US-Japan-Philippines Alliance: A Trio With Bitter Past Now Threatens China's Maritime Ambitions
-
Abu Dhabi-backed Group Ends Telegraph Takeover Bid
-
Canada's First New Oil Pipeline In Decades Starts Operating
-
New Post-Brexit Controls: A Thorn For UK Horticulture
-
Climate Change, Brexit Threaten To Wilt Dutch Tulips
