Hacking groups continue to target Web3 companies and cross-chain protocols like Chainlink, as DeBridge Finance explains an unsuccessful attack that was carried out by North Korean hackers from the Lazarus Group. While explained about the hacker, DeBridge team also warns cross chain bridges to be beware of the hacking attacks.
On August 5, deBridge Finance employees received what appeared to be a typical email from co-founder Alex Smirnov. With numerous crypto companies implementing staff reductions and pay cuts during the ongoing crypto winter, an attachment titled “New Salary Adjustments” was bound to create interest. The co-founder explored the nuances of the attempted phishing assault in a protracted Twitter discussion that was published on August 5 as a warning to the larger Bitcoin and Web3 communities:
1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.
PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m
— deAlex (@AlexSmirnov__) August 5, 2022
Smirnov’s team determined that the attack did not infect macOS users because attempting to open the link on a Mac would generate a zip archive containing a regular Adjustments.pdf PDF file. However, as Smirnov explained:
“Windows-based systems are vulnerable. User opens password.txt.lnk and infects the entire system. Running the cmd.exe command to scan the system for antivirus software corrupts text files. If your system is unprotected, the malicious file will be saved in your startup folder and communicate with the attacker for instructions.”
The DeBridge team allowed scripts to receive instructions but disabled the ability to execute commands. This code was found to collect a lot of information about the system and export it to the attacker. Under normal circumstances, a hacker can execute code on an infected computer from this point on. Smirnov has been linked with previous research into a phishing attack conducted by the Lazarus group using the same filename.
www[.]googlesheet[.]info – overlapping infrastructure with @h2jazi's tweet as well as earlier campaigns.
New Salary Adjustments.pdf 💸💸💸 https://t.co/kDyGXvnFaz
— The Banshee Queen 👑 Strahdslayer 👑 (@cyberoverdrive) July 21, 2022
Blockchain analysis firm Chainalysis highlighted that Crossbridge’s hack will be in 2022. surged. This year, he has had 13 attacks that have stolen more than $2 billion in crypto, accounting for nearly 70% of his stolen funds.
- DeBridge Finance investigation unveils North Korean hacker group Lazarus as main culprit behind cyberattack
- Decentrlised stablecoin Beanstalk all set to relauch its project after looses $182 million in massive hack