Headline
Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game
North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…
North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with a deceptive and fake NFT game. The attackers use social engineering and malicious software to steal sensitive data and potentially deploy further malware.
The infamous North Korean hacking group, Lazarus Group, has launched a sophisticated attack campaign targeting cryptocurrency investors. This campaign, uncovered by Kaspersky researchers, involves a multi-layered attack chain that leverages social engineering, a fake game website, and a zero-day exploit in Google Chrome.
According to the report, Kaspersky Total Security discovered a new attack chain in May 2024 targeting an unnamed Russian national’s personal computer using the Manuscrypt backdoor.
Kaspersky researchers Boris Larin and Vasily Berdnikov estimate that the campaign started in February 2024. Delving deeper into the attack researchers found that the attackers have created a website called “detankzonecom” that appears to be a legitimate platform for a “DeFiTankZone” game.
This game supposedly combines Decentralized Finance (DeFi) elements with Non-Fungible Tokens (NFTs) within a Multiplayer Online Battle Arena (MOBA) setting. The website even features a downloadable trial version, further enhancing the illusion of legitimacy. However, beneath the surface lies a malicious trap.
The fake NFA game site and the hidden exploit loader (Via Kaspersky)
“Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC,” researchers wrote.
The exploit contains code for two vulnerabilities: one allowing attackers to access the entire address space of the Chrome process from JavaScript (CVE-2024-4947) and the second allows bypassing the V8 sandbox to access memory outside the bounds of the register array. Google patched CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine, in March 2024, but it’s unclear if the attackers discovered it earlier and weaponized it as a zero-day or exploited it as an N-day vulnerability.
An n-day vulnerability refers to a security flaw or weakness that has already been discovered, publicly disclosed, and typically patched or mitigated by the software vendor. The term “n-day” indicates that the vulnerability has been known for “n” days, where n represents the number of days since the vulnerability was first disclosed or patched.
Following successful exploitation, the attackers deploy a custom script (validator) to gather system information and determine if the infected device holds any valuable assets worth further exploitation. The specific payload delivered after this stage remains unknown.
In this campaign, Lazarus has targeted influential figures in the cryptocurrency space, leveraging social media platforms like X (formerly Twitter) and LinkedIn. They established a social media presence with multiple accounts on X, actively promoting the fake game, and employed generative AI and graphic designers to create high-quality promotional content for the DeTankZone game. Additionally, the group sent specially crafted emails to individuals of interest, posing as blockchain companies or game developers seeking investment opportunities.
The DeTankZone website itself appears to be built upon the stolen source code of a legitimate blockchain game called DeFiTankLand (DFTL). This game experienced a security breach in March 2024, leading to the theft of $20,000 worth of cryptocurrency.
While the developers suspected an insider, Kaspersky researchers believe Lazarus Group might be responsible for both the theft and the repurposing of the stolen source code for their malicious campaign.
This campaign highlights the evolving tactics of the Lazarus Group. It’s crucial to be wary of unsolicited investment opportunities, especially those involving downloadable game clients or suspicious social media promotions. Additionally, keeping browser software like Chrome updated with the latest security patches is essential to mitigate the risk of zero-day exploits.
- How Bad is the North Korean Cyber Threat?
- Feds Bust N. Korean Identity Theft Ring Targeting US Firms
- North Korean Hackers Deploy Linux FASTCash ATM Malware
- Fake North Korean IT Workers Infiltrate Firms, Demand Ransom
- Nexera DeFi Protocol Hacked: $1.8M Stolen in Smart Contract Exploit
Related news
Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the
The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the
The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.
Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to
Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap