Cross-chain cryptocurrency platform deBridge Finance was suspected to be targeted by North Korean hacking group Lazarus in a phishing campaign aimed at cryptocurrency theft, according to BleepingComputer.
Numerous deBridge Finance employees have been sent phishing emails spoofing company co-founder Alex Smirnov that involved salary adjustments. Included in the email was an HTML file spoofing a PDF pertaining to salary changes and Windows.lnk impersonating a plain text file, with opening the fake PDF launching a cloud storage location with the password for the LNK file.
Meanwhile, opening the LNK file prompts Command Prompt execution and remote payload retrieval, noted Smirnov in a thread on Twitter. Some antivirus solutions were able to flag the malware, which has the capability to gather usernames, CPU, operating system, network adapters, running processes, and other system information.
Meanwhile, the attack has been associated with the Lazarus group following the discovery of similarities in file names and infrastructure as those leveraged in a previous Lazarus attack reported last month.
LAUSD holds fast to position of not paying ransom to Vice Society ransomware gang, ransomware experts say education sector and businesses at large will continue to face these types of ransomware and data extortion attacks.