The North Korean hacker collective Lazarus was exploiting a serious Google Chrome zero-day vulnerability, identified as CVE-2024-4947, that Kaspersky’s Global Research and Analysis Team (GReAT) discovered. The attackers began targeting bitcoin users in February 2024 with a phony decentralized finance (DeFi) game named DeTankZone.
By taking advantage of Chrome’s V8 JavaScript engine, the vulnerability, which was found on May 13, 2024, gave Lazarus the ability to remotely execute code and access private browser information, including cookies, authentication tokens, and saved passwords.
On May 25, 2024, Google fixed the problem in Chrome version 125.0.6422.60/.61. However, Lazarus had already started a hostile campaign that targeted bitcoin investors in particular prior to this fix.
In order to advertise DeTankZone, an NFT-based multiplayer online battle arena (MOBA) game with a tank theme, the attackers created a spoof website called detankzone[.]com. Using premium LinkedIn profiles, spear-phishing emails, and social media advertisements, the game was aggressively promoted as a genuine blockchain project.
The game was available for download as a 400MB ZIP file, but customers were unable to get past the registration screen. However, the zero-day attack was launched by the website’s hidden JavaScript.
It was a highly advanced attack that used Chrome’s Just-In-Time (JIT) compiler, Maglev, to access the whole address space of its process and destroy the browser’s memory.
To get out of Chrome’s sandbox environment, the attackers used a secondary vulnerability in the V8 engine, according to Kaspersky. By using this method, Lazarus was able to gather system data, including CPU, BIOS, and OS information, as well as carry out anti-VM and anti-debugging tests in order to avoid detection.
It is unknown whether Lazarus had identified and exploited the vulnerability as a zero-day before Google’s patch, or if it was first exploited as a one-day vulnerability, even though this hole was addressed in March 2024.
Manuscrypt, the virus Lazarus deployed, is a well-known weapon in the group’s toolbox that is frequently employed in cyber espionage operations.
The Lazarus campaign is consistent with the group’s other attempts to support North Korea’s economy in the face of international sanctions by stealing digital assets, especially cryptocurrency. The attackers are renowned for breaking into high-value targets by using complex social engineering techniques and taking advantage of software flaws.
Lazarus and his North Korean comrades have had a busy year. As previously disclosed, the organization was aggressively taking advantage of a Windows bug that gave them remote access to the kernel. A VPN vulnerability was exploited by Kimsuky (APT43) and Andariel (APT45) to distribute info-stealer malware, according to other news.
Lazarus Group Uses a Phishing DeFi Game to Take Advantage of Chrome Zero-Day Details
