A North Korean threat actor known as the Lazarus Group has been credited with exploiting a zero-day patched security flaw in Google Chrome to seize control of infected devices.
Cyber security provider Kaspersky said that in May 2024, it discovered a new chain of attacks that targeted the personal computer of an unnamed Russian citizen using Manuscript backdoor
This entails running a zero-day exploit simply by visiting a fake gaming website (“detankzone(.)com”) that was targeted at people in the cryptocurrency sector. The campaign is estimated to launch in February 2024.
“On the surface, this website resembled a professionally designed product page for a NFT (non-fungible token) decentralized finance (DeFi)-based multiplayer online tank battle arena (MOBA) game, inviting users to download a trial version,” Kaspersky researchers . Boris Larin and Vasyl Berdnikov said.
“But it was only a disguise. Under the hood, this site had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers full control over the victim’s PC.”
The vulnerability in question CVE-2024-4947a type confusion bug in the V8 JavaScript engine and WebAssembly that Google fixed in mid-May 2024.
Using a malicious tank game (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) as a conduit to deliver malware is a tactic Microsoft attributes to another North Korean cluster of threat activity dubbed Moonstone.
These attacks are carried out by approaching potential targets via email or messaging platforms, tricking them into installing a game by pretending to be a blockchain company or game developer looking for investment opportunities.
Kaspersky’s latest findings add another piece to the attack puzzle, highlighting the role of the zero-day browser exploit in the campaign.
Specifically, the exploit contains code for two vulnerabilities: the first is used to give an attacker read-write access to the entire address space of the Chrome JavaScript process (CVE-2024-4947), and the second is used to circumvent V8 sandbox.
“The (second) vulnerability is that the virtual machine has a fixed number of registers and a dedicated array to store them, but the register indices are decoded from instruction bodies and not checked,” the researchers explained. “This allows attackers to access memory outside of the register array.”
V8 sandbox workaround was patched up Google in March 2024 after reporting the bug, which was submitted on March 20, 2024. However, it is currently unknown if attackers discovered it earlier and weaponized it as a zero-day, or if it was used as an N-day vulnerability.
After a successful exploit, the threat actor launches a validator, which takes the form of shellcode, responsible for collecting system information that is then used to determine whether the machine is valuable enough to take further action after the exploit. The exact payload delivered after this stage is currently unknown.
“What never ceases to amaze us is how much effort Lazarus APT puts into its social engineering campaigns,” the Russian company said, pointing out that the threat actor is contacting cryptocurrency influencers to help promote them. their malicious site.
“Over the course of several months, the attackers built up their social media presence, regularly posting to X (formerly Twitter) from multiple accounts and promoting their game with content created by generative artificial intelligence and graphic designers.”
Attacker activity was observed on X and LinkedIn, not to mention specially crafted websites and emails sent to targets of interest.
The website is also designed to encourage visitors to download a ZIP archive (“detankzone.zip”) which, when launched, is a full-featured game that requires player registration, but also contains code to launch a custom bootloader codenamed YouieLoad, just like earlier. detail Microsoft.
Moreover, Lazarus Group is believed to have stolen the game’s source code from a legitimate play-to-earn (P2E) blockchain game called DeFiTankLand (DFTL) which suffered a own hack in March 2024, leading to the theft of $20,000 worth of DFTL2 coins.
Although the project developers blamed the hack on an insider, Kaspersky suspects that the Lazarus Group is behind it and that they stole the game’s source code along with DFTL2 coins and repurposed it for their own purposes.
“Lazarus is one of the most active and sophisticated APT actors, and financial gain remains one of their main motivations,” the researchers note.
“The tactics of attackers are evolving and they are constantly coming up with new, sophisticated social engineering schemes. Lazarus has already successfully started using generative artificial intelligence, and we predict that they will come up with even more sophisticated attacks with it.”
