In a new and sophisticated campaign, the infamous North Korean-affiliated Lazarus APT group and its BlueNoroff subgroup have once again proven their expertise in exploiting zero-day vulnerabilities.
The group, known for targeting financial institutions, governments, and even cryptocurrency platforms, has now expanded its operations to lure investors using a seemingly innocuous decentralized finance (DeFi) game.
Lazarus, notorious for using its malware known as Manuscrypt, has been employing the malicious software since 2013 across more than 50 campaigns globally. These include attacks on governments, diplomatic entities, and cryptocurrency platforms. However, their latest exploit, detected as early as 13 May 2024 via Kaspersky’s Total Security product, caught researchers’ attention for its unique target—an individual in Russia.
The malware infection stemmed from a zero-day vulnerability in Google Chrome, executed through a fake website promoting an NFT-based multiplayer online battle arena (MOBA) tank game. This website, detankzone[.]com, was designed to mimic a professional gaming product page, inviting users to download a demo version of the game.
However, the game itself was just a front. Hidden within the site was a script that triggered the zero-day exploit, allowing the attackers to take full control of the victim’s PC simply by visiting the page.
The Exploit Unveiled
Upon further investigation, Kaspersky’s research team discovered that the attackers had exploited a previously unknown vulnerability (CVE-2024-4947) in Google Chrome’s JavaScript engine, V8.
This engine, responsible for executing scripts in Chrome, underwent changes in late 2023, including the introduction of a new optimizing compiler called Maglev. Lazarus took advantage of a critical flaw in this compiler to bypass security protocols and manipulate memory in Chrome processes.
The vulnerability allowed the malefactors to read and write Chrome process memory, opening the door to a full-scale attack. Kaspersky reported the issue to Google, leading to a security patch on 15 May, which mitigated the risk for millions of Chrome users.
However, although Google quickly blocked malicious websites linked to this campaign, Microsoft’s subsequent report on 28 May 2024, missed a crucial detail: the zero-day vulnerability. Microsoft attributed the attack to a newly identified North Korean threat actor, Moonstone Sleet, but did not recognize the severity of the zero-day exploit.
Kaspersky’s full report now details the intricate nature of the vulnerability and how the DeFi game was used as a lure for unsuspecting victims.
Broader Implications
The Lazarus group’s move to exploit zero-day vulnerabilities in web browsers underscores their evolving strategy to target investors and financial platforms. Their campaign spotlights the increasing risks faced by the cryptocurrency industry, particularly in decentralized finance ecosystems.
As blockchain gaming and DeFi platforms gain popularity, they are attracting more attention from threat actors looking to steal sensitive data or funds. The Lazarus APT’s use of advanced malware and highly targeted campaigns heralds a dangerous trend for both investors and platform operators in the cryptocurrency space.
With this latest zero-day discovery, security experts are urging users to stay vigilant when interacting with online platforms, particularly those related to cryptocurrency and NFTs, where threat actors are increasingly focusing their efforts.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.