North Korean threat actors try to hack cryptocurrency deBridge Finance

A group of hackers, suspected of belonging to the North Korean group Lazarus, has targeted the crypto platform Bridge Finance, which is a platform that uses an inter-chain to allow the transfer of assets between blockchain . The objective of these attackers was to steal cryptocurrencies from the platform using an APT ( Advanced Persistent Threat) style attack plan.

This attack plan began last Thursday with a phishing email to company employees to try to trick them. In this email, a masked malware was introduced that collected information from the affected Windows systems and allowed the download of additional malicious code, which would allow the succession of the following phases of the attack.

The email sent by the attackers claimed to come from the company’s co-founder, Alex Smirnov, offering alleged new information about changes in employee salaries. Included in the email was an HTML file called ‘New Salary Adjustments’ purporting to be a PDF file along with a Windows shortcut file (.LNK), referencing a ‘Password.txt’ file.

Opening the alleged PDF file redirected to a cloud , forcing the target of the attack to open the txt, which, when opened, downloaded a payload from a remote location.

The payload was programmed to open a notepad with the information ‘pdf password: salary2022’, in addition to checking if the affected system was protected by a security solution such as ESET, Tencent or Bitdefender. If any of these solutions were not present, the malicious file was saved in the system’s startup folder, to ensure its persistence.

Once the malware was installed on the system, it sent requests to the attacker’s command and control server for further instructions, allowing the attacker to proceed with a new phase of the APT attack: information gathering. This information contained everything from the username or operating system to information about the CPU, network adapters or running processes.

According to the co-founder himself, Alex Smirnov, this malware only attacked Windows systems, providing a ZIP file with a real PDF if the executable detected a macOS system. He also claims that most deBridge Finance employees reported the email as suspicious, but one of them took the bait and opened and downloaded it, allowing Smirnov to analyze the attack.

Although it has not been possible to fully corroborate whether it was the North Korean Lazarus group, there are many coincidences that connect it with it.

The connection has been made due to the large number of attacks on the group’s crypto experts and their modus operandi, by sending emails with false job offers or salary increases. In addition, coincidences have been found in the names of files and infrastructures used by the group in previous attacks, for example in the campaigns referenced as CryptoCore or CryptoMimic.

It has also been detected that the Lazarus group carried out the same campaign against cryptocurrency firms since March this year, when they attacked the Woo Network platform through an alleged Coinbase job offer, using the same fake PDF trick and targeting only Windows machines.