Lazarus Group Exploits Chrome Zero-Day With Fake DeFi Game

Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a critical Google Chrome zero-day vulnerability, tracked as CVE-2024-4947, that was being exploited by the North Korean Lazarus hacking group. The attackers used a fake decentralized finance (DeFi) game called DeTankZone to target cryptocurrency users starting in February 2024.

The flaw, discovered on May 13, 2024, allowed Lazarus to execute code remotely and access sensitive browser data like cookies, authentication tokens, and saved passwords by exploiting Chrome’s V8 JavaScript engine.

Google patched the issue on May 25, 2024, in Chrome version 125.0.6422.60/.61. However, before this patch, Lazarus had already launched a malicious campaign that specifically targeted cryptocurrency investors.

The attackers set up a decoy website, detankzone[.]com, which promoted DeTankZone, an NFT-based multiplayer online battle arena (MOBA) game themed around tanks. The game, presented as a legitimate blockchain project, was actively marketed through social media ads, spear-phishing emails, and premium LinkedIn accounts.

While users could download a 400MB ZIP file containing the game, it failed to run beyond the registration screen. The website’s hidden scripts, however, activated the zero-day exploit.

It was a fairly sophisticated attack, relying on Chrome's Just-In-Time (JIT) compiler, Maglev, to corrupt the browser’s memory and access the entire address space of its process.

Kaspersky noted that the attackers used a secondary flaw in Chrome's V8 engine to escape its sandbox environment. This technique enabled Lazarus to collect system information, such as CPU, BIOS, and OS data, as well as perform anti-VM and anti-debugging checks to evade detection.

Although this flaw was fixed in March 2024, it remains unclear whether Lazarus had discovered and exploited the flaw as a zero-day prior to Google’s patch, or if it was initially exploited as a 1-day vulnerability.

The malware used by Lazarus, called Manuscrypt, is a known tool in the group’s arsenal, typically utilized in cyber espionage campaigns.

The Lazarus campaign aligns with the group's previous efforts to steal digital assets, particularly cryptocurrency, to support North Korea’s economy amid international sanctions. The attackers are known for the use of elaborate social engineering tactics and exploiting software vulnerabilities to infiltrate high-value targets.

It has been a busy year for Lazarus and other North Korean counterparts. It has been previously revealed that the group was actively exploiting a Windows issue allowing them to remotely obtain kernel-level access. In other news, Kimsuky (APT43) and Andariel (APT45) were detected exploiting a VPN flaw to spread info-stealer malware.