deBridge Finance crypto platform targeted by Lazarus hackers
Hackers suspected to be from the North Korean Lazarus group tried their luck at stealing cryptocurrency from deBridge Finance, a cross-chain protocol that enables the decentralized transfer of assets between various blockchains. The threat actor used a phishing email to trick company employees into launching malware that collected various information from Windows systems and allowed the delivery of additional malicious code for subsequent stages of the attack. The hackers targeted deBridge Finance employees on Thursday with an email purporting to be from the company co-founder, Alex Smirnov, allegedly sharing new information about salary changes. The email reached multiple employees and included an HTML file named ‘New Salary Adjustments’ that pretended to be a PDF file along with a Windows shortcut file (.LNK) that poses as a plain text file containing a password. Clicking the fake PDF opened a cloud storage location claiming to provide a password-protected archive containing the PDF, thus bringing the target to launching the fake text file to obtain the password.