The notorious Lazarus Advanced Persistent Threat (APT) group has exploited a zero-day vulnerability in the Google Chrome browser, using a cryptocurrency-themed game as a lure.
The attack highlights the evolving tactics of this North Korean-linked group, known for its financial motivations and advanced social engineering strategies.
On May 13, 2024, Kaspersky’s security systems detected a new infection on a personal computer in Russia, revealing the exploitation of a zero-day vulnerability in Google Chrome.
The attack was traced back to a website, detankzone[.]com, which masqueraded as a legitimate product page for a decentralized finance (DeFi) NFT-based multiplayer online battle arena (MOBA) tank game.
National Cybersecurity Awareness Month Cyber Challenges – Test your Skills Now
Exploitation of Vulnerabilities
However, beneath its seemingly innocuous facade lay a malicious script designed to exploit users’ browsers and gain control over their systems.
The exploit leveraged two vulnerabilities. The first allowed attackers to read and write memory within the Chrome process, while the second bypassed the V8 sandbox, a security feature designed to isolate memory and prevent unauthorized code execution.
This sophisticated attack enabled the hackers to execute arbitrary code on victims’ machines.
Upon discovering the exploit, Kaspersky promptly reported it to Google. Within two days, Google released an update addressing the vulnerability (CVE-2024-4947) in Chrome version 125.0.6422.60.
Additionally, Google blocked access to detankzone[.]com and related malicious sites to protect users from further attacks.
Lazarus APT’s campaign extended beyond technical exploits to include elaborate social engineering efforts. The group built a social media presence to promote their fake game, even reaching out to cryptocurrency influencers to amplify their reach.
This multifaceted approach underscores Lazarus’s commitment to crafting convincing narratives around their attacks.
The attackers developed a seemingly legitimate game as part of their deception strategy. The game, initially appearing as a genuine product developed in Unity, was based on stolen source code from an existing game called DeFiTankLand (DFTL).
This added layer of authenticity made the malicious campaign more credible and enticing to potential victims.
The Lazarus group’s use of zero-day vulnerabilities and advanced social engineering tactics poses significant threats to individuals and organizations. Their ability to adapt and innovate in their attack methods suggests that such threats will persist and evolve.
Staying vigilant is crucial for end-users. Regularly updating software and exercising caution when interacting with unsolicited links or downloads can mitigate risks.
As browser developers continue enhancing security features like JIT compilers and sandboxes, users are encouraged to keep their systems updated to protect against emerging threats.
Threat actors continue refining their techniques and leveraging new technologies, such as generative AI for social engineering; cybersecurity measures must evolve accordingly to safeguard against these sophisticated attacks.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here