The notorious North Korean hacking outfit dubbed Lazarus has launched a sophisticated attack campaign targeting cryptocurrency investors. This campaign, discovered by Kaspersky researchers, consists of a multi-layered assault chain that includes social engineering, a fake game website, and a zero-day flaw in Google Chrome.
The report claims that in May 2024, Kaspersky Total Security identified a new attack chain that used the Manuscrypt backdoor to target the personal computer of an unidentified Russian citizen.
Kaspersky researchers Boris Larin and Vasily Berdnikov believe the campaign began in February 2024. After investigating the attack further, analysts discovered that the attackers had developed a website called "detankzonecom" that seemed to be a genuine platform for the game "DeFiTankZone."
This game reportedly combines Decentralised Finance (DeFi) elements with Non-Fungible Tokens (NFTs) in a Multiplayer Online Battle Arena (MOBA) situation. The website even offers a downloadable trial edition, adding to the look of trustworthiness. However, beneath the surface is a malicious trap.
“Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC,” researchers noted.
The exploit contains code for two vulnerabilities: one that enables hackers to access the whole address space of the Chrome process using JavaScript (CVE-2024-4947), and the other that allows attackers to circumvent the V8 sandbox and access memory outside the confines of the register array.
Google addressed CVE-2024-4947, a type confusion flaw in the V8 JavaScript and WebAssembly engine, in March 2024, although it's unknown if attackers discovered it first and weaponised it as a zero-day or exploited it as an N-day flaw.
In this campaign, Lazarus has used social media sites like LinkedIn and X (previously Twitter) to target prominent players in the cryptocurrency field. With several accounts on X, they created a social media presence and actively promoted the fake game. They also hired graphic designers and generative AI to create amazing advertising material for the DeTankZone game. The group also sent carefully designed messages to interested parties pretending to be blockchain startups or game developers looking for funding.
This campaign highlights how the Lazarus Group's strategies have changed. It is crucial to be wary of unsolicited investment opportunities, particularly when they involve dubious social media promotions or downloadable game clients. In order to mitigate the risk of zero-day attacks, it is also crucial to maintain browser software, such as Chrome, updated with the most recent security fixes.