Hackers believed to be associated with the North Korean-based cybercriminal group Lazarus have attempted yet another digital heist by targeting cryptocurrency firm deBridge Finance.
As reported by Bleeping Computer, deBridge operates as a “liquidity transfer protocol that allows decentralized transfer of data and assets” between multiple blockchain platforms.
That fact alone was reason enough for Lazarus to reportedly make the company its latest target. The breach was attempted by sending a phishing email to employees. If opened, it would infect the system with malware, subsequently allowing it to obtain sensitive information from Windows-powered devices in the network.
It would also lay the groundwork for another round of malicious code to be activated at an advanced stage of the cyber attack.
Employees of deBridge Finance received an email last week from the hackers, who posed as the firm’s co-founder, Alex Smirnov. The email contained bogus details about “new salary adjustments” via a HTML file.
That file was masked as a PDF, joined by a Windows shortcut file (.LNK) that tried to lure victims in by posing as a password text file.
Once the doctored PDF file is opened, a cloud storage location is subsequently launched, prompting the user to refer back to the fake text file for a password. From here, the LNK file connects to the Command Prompt with a command that retrieves and loads a payload that is stored remotely.
With the hackers now breaching the system with its malware, it could obtain relevant information about the target system such as the username, operating system, CPU, network adapters, and running processes.
Although the majority of employees who saw the email reported it as suspicious, one individual was unaware of the misleading nature of the contents. Once that employee downloaded and opened the fake document, Smirnov said he was able to examine the attack itself.
North Korean hackers from the Lazarus group are suspected to be behind this particular incident due to the similarity in file names and infrastructure discovered in an earlier attack.
The Lazarus group has certainly been active as of late. It recently tried to trick crypto experts with a similar email campaign by posing as cryptocurrency exchange Coinbase. Elsewhere, the hackers were linked to a huge $617 million crypto heist earlier this year.