North Korean Hacker Group Lazarus Attacked Crypto Platform, Co-Founder Claims
KEY POINTS
- deBridge Finance team members received a malicious ZIP file via email
- The file only affects Windows users, so macOS users remain safe
- When unzipped, the said file trigger a chain of events that leaks user info
North Korean hacker group Lazarus has attempted a cyber attack on deBridge, a generic messaging and cross-chain interoperability protocol, via a malicious file sent by email.
The said file is reportedly capable of extracting information from the host's device and sending it to the attacker.
Alex Smirnov, co-founder of deBridge Finance, took to Twitter on Aug. 6 to reveal that many of his team members reported receiving a PDF file called "New Salary Adjustments" from an email address spoofing mine which makes it difficult to track the sender of the mail.
Smirnov believes the attack could be widespread in the crypto and Web3 space. "Most of the team members immediately reported the suspicious email, but one colleague downloaded and opened the file," he noted.
The co-founder added that they investigated the attempt and found that the malicious file will not affect macOS users. Moreover, opening the link will lead to a ZIP file containing a PDF file with the name "Adjustments.pdf."
However, when opened on a Windows machine, the ZIP will show files called "file Adjustments.pdf" and "Password.txt.lnk."
"The attack vector is as follows: user opens link from email -> downloads & opens archive -> tries to open PDF, but PDF asks for a password -> user opens password.txt.lnk and infects the whole system," Smirnov explained.
Further investigations reportedly revealed that opening the password file alongside the PDF triggers a series of processes that leaks the username, OS info, CPU details and network adapters. The same step also can also run processes for the attacker.
Smirnov further said that "only a few anti-virus solutions mark these files as malicious," noting that files with the same names (but different hashes) have been noticed and attributed to Lazarus Group.
The co-founder then took the opportunity to remind Web3 and crypto investors and participants to be more cautious when dealing with files sent to them.
"Never open email attachments without verifying the sender's full email address, and have an internal protocol for how your team shares attachments!" he said.
Lazarus Group is also responsible for Axie Infinity's Ronin Bridge attack in which $620 million were drained from the Bridge.
© Copyright IBTimes 2024. All rights reserved.