Lazarus Group Exploits Google Chrome Flaw to Hijack Infected Devices
The North Korean cyber threat group, Lazarus, has been linked to the zero-day exploitation of a recently patched security flaw in Google Chrome, allowing them to gain control of infected systems.
According to cybersecurity firm Kaspersky, the group launched an attack in May 2024, targeting a Russian individual's computer using the Manuscrypt backdoor. The attack began by exploiting a fake gaming website, "detankzone[.]com", aimed at individuals in the cryptocurrency sector. Kaspersky estimates the campaign began as early as February 2024.
The website appeared to promote a decentralized finance (DeFi) NFT-based multiplayer online battle arena (MOBA) tank game, inviting users to download a trial. However, a hidden script on the site exploited a zero-day vulnerability in Google Chrome (CVE-2024-4947), a type confusion flaw in the V8 JavaScript engine, to hijack the user's system.
Microsoft has attributed similar tactics involving malicious tank games, such as DeTankWar and DeFiTankWar, to another North Korean group, Moonstone Sleet. The attackers used fake blockchain companies and game developer personas to lure victims through email and messaging platforms, tricking them into downloading malware-laden games.
Kaspersky’s research also uncovered that Lazarus exploited two vulnerabilities in their campaign: one giving them access to Chrome's address space (CVE-2024-4947) and another bypassing the V8 sandbox. While Google patched the sandbox vulnerability in March 2024, it's unclear if Lazarus had already discovered and exploited it as a zero-day.
Once inside the victim’s system, the group used a shellcode validator to collect system information and determine if further exploitation was worthwhile. Although the final payload remains unknown, this attack highlights Lazarus’s ability to adapt and create sophisticated social engineering schemes.
Lazarus’s social engineering efforts were particularly impressive, as they spent months building a presence on platforms like X (formerly Twitter) and LinkedIn, using generative AI to create promotional content for their fake game. They also created specialized websites and targeted emails to reach influential figures in the cryptocurrency space.
The group’s fake website offered a downloadable ZIP archive of the game, which contained malicious code and a custom loader, YouieLoad, as previously reported by Microsoft. Kaspersky suspects that Lazarus also stole the source code for this game from a legitimate blockchain play-to-earn (P2E) project, DeFiTankLand (DFTL), which was hacked in March 2024. This attack resulted in the theft of $20,000 worth of DFTL2 coins.
Despite the developers blaming an insider for the breach, Kaspersky believes Lazarus orchestrated the hack to further their financial gain. As one of the most sophisticated APT groups, Lazarus continues to evolve, using generative AI to create more elaborate social engineering attacks, and their motivation for financial gain remains strong.