Cross chains, beware! deBridge flags attempted phishing attack, suspects Lazarus Group

Published at: Aug. 8, 2022

Cross-chain protocols and Web3 firms continue to be targeted by hacking groups as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.

deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled ‘New Salary Adjustments’ was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.

A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.

The co-founddelved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Aug. 5, acting as a public service announcement for the wider cryptocurrency and Web3 community:

1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m

— deAlex (@AlexSmirnov__) August 5, 2022

Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to zip archive with the normal PDF file Adjustments.pdf. However Windows-based systems are at risk as Smirnov explained:

“The attack vector is as follows: user opens link from email, downloads & opens archive, tries to open PDF, but PDF asks for a password. User opens password.txt.lnk and infects the whole system.”

The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.

The deBridge team allowed the script to receive instructions but nullified the ability to execute any commands. This revealed that the code collects a swathe of information about the system and exports it to attackers. Under normal circumstances, the hackers would be able to run code on the infected machine from this point onward.

Smirnov linked back to earlier research into phishing attacks carried out by the Lazarus Group which used the same file names:

#DangerousPassword (CryptoCore/CryptoMimic) #APT:b52e3aaf1bd6e45d695db573abc886dcPassword.txt.lnkwww[.]googlesheet[.]info - overlapping infrastructure with @h2jazi's tweet as well as earlier campaigns.d73e832c84c45c3faa9495b39833adb2New Salary Adjustments.pdf https://t.co/kDyGXvnFaz

— The Banshee Queen Strahdslayer (@cyberoverdrive) July 21, 2022

2022 has seen a surge in cross-bridge hacks as highlighted by blockchain analysis firm Chainalysis. Over $2 billion worth of cryptocurrency has been fleeced in 13 different attacks this year, accounting for nearly 70% of stolen funds. Axie Infinity's Ronin bridge has been the worst hit so far - losing $612 million to hackers in March 2022.

Tags
Related Posts
Digital intelligence must overcome challenges to solving crypto crimes
While the value of cryptocurrencies has varied wildly in the last year, this has not diminished crypto’s attractiveness to criminals. Many of them are moving their illegal activities underground and outside the view of law enforcement. Because of the public nature of most blockchains, however, this rapid movement shouldn’t be a major concern to law enforcement agencies. With the right tools and training, following the proceeds of crypto-enabled crime is actually not as difficult as it may seem. However, intelligence agencies must have a cryptocurrency investigation plan that includes the right tools to lawfully collect digital evidence and the properly …
Technology / Aug. 20, 2021
The impact of Bitcoin hacking incidents on the crypto market
In the 2013–2017 period, 29 hacks occurred in the Bitcoin market where a total of 1.1 million Bitcoin were stolen. Noting that the average price for Bitcoin (BTC) in December 2020 exceeded $20,000, the corresponding monetary equivalent of losses is more than $22 billion, which strongly highlights the societal impact of this criminal activity. What did crypto exchanges do to address this problem? Nowadays, about 90% of exchanges use some kind of cold storage system, which means that digital assets are stored offline. Keeping Bitcoin offline considerably reduces the threat from hacking attacks. Related: Roundup of crypto hacks, exploits and …
Blockchain / Jan. 24, 2021
US authorities go after 280 crypto accounts allegedly tied to North Korea
"The Justice Department today filed a civil forfeiture complaint detailing two hacks of virtual currency exchanges by North Korean actors," said an Aug. 27 statement from the U.S. Department of Justice, or DoJ. "These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders." The hackers allegedly utilized 280 different digital asset accounts. March 2020 saw details of a 2019 legal case surface, in which two Chinese nationals allegedly hijacked piles of crypto assets totaling $250 million. This ordeal appears to be connected with the present day news, the DoJ statement …
Blockchain / Aug. 27, 2020
A 17 Year Old Was Just Arrested in Connection With Twitter's Recent Hack
Authorities have taken a 17-year-old into custody, alleging the not-yet-adult cooked up the massive Twitter breach. "Early this morning, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest — accusing him of being the 'mastermind' behind the biggest security and privacy breach in Twitter’s history," a July 31 article from The Verge said. The massive exploit saw many top Twitter accounts breached on July 15, including the likes of Elon Musk, Joe Biden and Bill Gates. “Our offices found 30 felony charges against Clark, including organized fraud, communications fraud, identity theft …
Blockchain / July 31, 2020
‘Nobody is holding them back’ — North Korean cyber-attack threat rises
North Korea-backed cyberattacks on cryptocurrency and tech firms will only become more sophisticated over time as the country battles prolonged economic sanctions and resource shortages. Former CIA analyst Soo Kim told CNN on Sunday that the process of generating overseas crypto income for the regime has now become a “way of life” for the North Koreans: “In light of the challenges that the regime is facing — food shortages, fewer countries willing to engage with North Korea [...] this is just going to be something that they will continue to use because nobody is holding them back, essentially.” She also …
Blockchain / July 12, 2022