deBridge suspects Lazarus Group behind attempted phishing attack

Email sign with a fish hook on blue digital background
(Image credit: Shutterstock)

Infamous North Korean cybercrime group Lazarus has been flagged in an attempted cyber attack on cross-chain firm deBridge Finance.

The campaign is likely widespread, as confirmed by co-founder Alex Smirnov in a Twitter post on Friday.

The attack vector was via email, with an attached PDF file named "New Salary Adjustments" sent from an address that mirrored Smirnov's own.

Smirnov further explained that macOS users remain unaffected, as opening the said PDF link on a Mac would lead to a zip archive with the normal PDF file Adjustments.pdf (md5: 15a4…39c2).

However, the same is not true in the case of Windows systems. Clicking the PDF link on a Windows device would lead to an archive with a password-protected pdf with the same name (md5: 0038…8bc4), and an additional file named Password.txt.lnk (md5: 2eaa…6a30).

The whole system gets infected upon clicking the password.txt.lnk file link. “It’s interesting that only a few anti-virus solutions mark these files as malicious,” added Smirnov.

Alerting users, Smirnov also advised teams to “never open email attachments without verifying the sender’s full email address.”

The news breaks weeks after the US State Department doubled the reward for information on cyber threat actors having roots in North Korea.