Rob Behnke
August 11th, 2022
In August 2022, the deBridge Finance project was the target of an attempted phishing attack. The sophisticated attack tried to trick recipients into opening a malicious PDF that would compromise their machine.
The attempted phishing attack used a spoofed email address mimicking that of Alex Smirnov, deBridge co-founder. The email claimed to include a shared PDF with a link that, on a Windows machine, pointed to a ZIP folder containing a password-protected PDF and a file named Password.txt.lnk.
Clicking on the LNK file downloaded malware that scanned for antivirus on the system, and, if not found, installed backdoor malware on the system.
After installation, the malware communicates with a command and control server and collects information about the infected computer and its user.
However, this design also allows the attacker to run any command on the infected computer, so the malware could easily search for passwords or private keys stored on the infected device, install a keylogger to collect them, or deploy malware to change the destination or contents of transactions.
The tools and techniques from the deBridge phishing attack are very similar to those used by the Lazarus Group, an Advanced Persistent Threat (APT) group associated with North Korea.
While the attack was unsuccessful in this case, future campaigns could have significant impacts.
Phishing attacks are a common tactic of cyber threat actors because they work. David Schwed, Halborn’s COO, recently commented on the attack in Bitcoinist: “These types of attacks are pretty prevalent… they rely on the inquisitive character of people by labeling the files something that would spark their curiosity, such as salary information.”
Companies and individuals can protect themselves against these phishing attacks by following security best practices such as:
For more information about keeping your DeFi project secure against cyberattacks, reach out to our security experts at halborn@protonmail.com.