Security
Headlines
HeadlinesLatestCVEs

Headline

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the

The Hacker News
#vulnerability#web#mac#google#microsoft#git#java#backdoor#zero_day#chrome#The Hacker News

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices.

Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor.

This entails triggering the zero-day exploit simply upon visiting a fake game website (“detankzone[.]com”) that was aimed at the individuals in the cryptocurrency sector. The campaign is estimated to have commenced in February 2024.

“On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version,” Kaspersky researchers Boris Larin and Vasily Berdnikov said.

“But that was just a disguise. Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC.”

The vulnerability in question is CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine that Google patched in mid-May 2024.

The use of a malicious tank game (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) as a conduit to deliver malware is a tactic that Microsoft has attributed to another North Korean threat activity cluster dubbed Moonstone Sleet.

These attacks are carried out by approaching prospective targets through email or messaging platforms, tricking them into installing the game by posing as a blockchain company or a game developer seeking investment opportunities.

Kaspersky’s latest findings add another piece to the attack puzzle, highlighting the role played by the zero-day browser exploit in the campaign.

Specifically, the exploit contains code for two vulnerabilities: the first is used to give attackers read and write access to the entire address space of the Chrome process from the JavaScript (CVE-2024-4947), and the second is abused to get around the V8 sandbox.

“The [second] vulnerability is that the virtual machine has a fixed number of registers and a dedicated array for storing them, but the register indexes are decoded from the instruction bodies and are not checked,” the researchers explained. “This allows attackers to access the memory outside the bounds of the register array.”

The V8 sandbox bypass was patched by Google in March 2024 following a bug report that was submitted on March 20, 2024. That said, it’s currently not known if the attackers discovered it earlier and weaponized it as a zero-day, or if it was exploited as an N-day vulnerability.

Successful exploitation is followed by the threat actor running a validator that takes the form of a shellcode responsible for gathering system information, which is then used to determine if the machine is valuable enough to conduct further post-exploitation actions. The exact payload delivered after this stage is currently unknown.

“What never ceases to impress us is how much effort Lazarus APT puts into their social engineering campaigns,” the Russian company said, pointing out the threat actor’s pattern of contacting influential figures in the cryptocurrency space to help them promote their malicious website.

“For several months, the attackers were building their social media presence, regularly making posts on X (formerly Twitter) from multiple accounts and promoting their game with content produced by generative AI and graphic designers.”

The attacker’s activity has been observed across X and LinkedIn, not to mention the specially-crafted websites and email messages sent to targets of interest.

The website is also designed to lure visitors into downloading a ZIP archive (“detankzone.zip”) that, once launched, is a fully functional downloadable game that requires player registration, but also harbors code to launch a custom loader codenamed YouieLoad, as previously detailed by Microsoft.

What’s more, it’s believed that the Lazarus Group stole the source code for the game from a legitimate blockchain play-to-earn (P2E) game named DeFiTankLand (DFTL), which suffered a hack of its own in March 2024, leading to the theft of $20,000 worth of DFTL2 coins.

Although the project developers blamed an insider for the breach, Kaspersky suspects that the Lazarus Group was behind it, and that they stole the game’s source code alongside the DFTL2 coins and repurposed it to advance their goals.

“Lazarus is one of the most active and sophisticated APT actors, and financial gain remains one of their top motivations,” the researchers said.

“The attackers’ tactics are evolving and they’re constantly coming up with new, complex social engineering schemes. Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the

Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game

North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to

Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap