The co-founder of deBridge Finance accused Lazarus Group of being the culprit in this cross-banana protocol attack through an email containing a malicious file.
deBridge becomes the next target of Lazarus Group
The notorious hacking organization, backed by North Korea, Lazarus group has been identified as the perpetrator of a cyber attack against deBridge Finance. Cross-chain protocol co-founder and project lead, Alex Smirnov, alleges that the attack vector was through an email, in which several team members received a PDF file titled “New Salary Adjustment” from a fake address that copies the CEO’s address.
While deBridge Finance tries to prevent the phishing attack, Smirnov warns that the fraud campaign is likely to broadly target Web3-focused platforms.
According to a long Twitter thread by moderators, most team members immediately flagged the email as suspicious, but one person downloaded and opened the file. This helped them investigate the attack vector and understand its consequences.
Smirnov further explains that macOS users are safe, as opening the link on a Mac will result in a zip archive with the normal PDF file Adjustments.pdf. On the other hand, the Windows system is not immune to dangers. Instead, Windows users will be redirected to an archive with a suspicious password-protected pdf file with the same name and an additional file named Password.txt.lnk.
The text file will basically infect the system. Therefore, the lack of anti-virus software will help the malicious file to enter the machine and will be saved in the autostart folder, after which a simple script will start sending repeated requests to communicate with the attacker to receive instructions.
“The attack vector is as follows: user opens a link from email -> downloads & opens archive -> tries to open PDF, but PDF asks for a password -> user opens password.txt.lnk and infects the whole system.”
The co-founder then urged the firms and their employees to never open email attachments without verifying the sender’s full email address and to have an internal protocol for how teams share attachments.
“Please stay SAFU and share this thread to let everyone know about potential attacks.”
It can be seen that cross-chain protocols have always been the main target of this criminal organization. This latest attack has almost the same implementation method as previous attacks done by this organization.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews