Cyber security news for all

More

    Lazarus Group Manipulates Chrome Flaw to Command Breached Devices

    The infamous North Korean cyber-espionage entity, Lazarus Group, has been connected to a zero-day exploitation of a previously unpatched vulnerability in Google Chrome, allowing them to commandeer compromised systems.

    Kaspersky, a renowned cybersecurity firm, detected an intricate attack sequence in May 2024, targeting the personal computer of an unidentified Russian national, deploying the Manuscrypt backdoor.

    This assault involved leveraging the zero-day vulnerability through the simple act of visiting a counterfeit gaming website, “detankzone[.]com,” which had been tailored to appeal to individuals involved in the cryptocurrency sphere. The operation is speculated to have started as early as February 2024.

    “At face value, the site presented itself as a polished and professional webpage for a decentralized finance (DeFi) NFT-based multiplayer online battle arena (MOBA) tank game, enticing visitors to download a trial,” Kaspersky’s analysts, Boris Larin and Vasily Berdnikov, reported.

    “But beneath this illusion, a clandestine script was activated, operating covertly within the user’s Google Chrome browser, executing a zero-day exploit that provided full access to the attacker,” they elaborated.

    The vulnerability exploited, CVE-2024-4947, is a type confusion flaw within the V8 JavaScript and WebAssembly engine, for which Google issued a patch in mid-May 2024.

    Using a fraudulent tank game, dubbed “DeTankWar” or similar variations, as the vehicle for malware deployment is not unprecedented. Microsoft has also attributed such tactics to another North Korean cyber faction known as Moonstone Sleet.

    These attacks typically ensnare their victims by luring them through targeted emails or messaging applications, masquerading as representatives of blockchain firms or game developers searching for investment, ultimately deceiving them into installing the compromised software.

    Kaspersky’s revelations further unravel this attack scheme, emphasizing the critical role of the zero-day browser vulnerability in this broader campaign.

    The exploit chain contained two pivotal vulnerabilities: the first, CVE-2024-4947, granted the attackers read and write permissions across the entire memory space of the Chrome process through JavaScript, while the second flaw allowed bypassing of Chrome’s V8 sandbox.

    “The second issue arises because the virtual machine’s register count is finite, and it utilizes a fixed array to store them, but the register indices decoded from the instructions aren’t validated,” Kaspersky researchers detailed. “This oversight permits access to memory locations outside the designated bounds of the array.”

    Google resolved the V8 sandbox bypass in March 2024 following a bug report submitted on March 20. However, it’s unclear if the attackers exploited this flaw earlier as a zero-day or as an N-day vulnerability.

    Upon successfully exploiting the vulnerability, the attackers deployed a validator, in the form of shellcode, which harvested system data to ascertain whether the compromised machine warranted further malicious actions. The specific payload following this initial phase remains unknown.

    “What continues to astonish us is the sheer dedication Lazarus APT places into its social engineering strategies,” Kaspersky noted, underscoring the group’s pattern of targeting high-profile cryptocurrency figures to market their malicious website.

    “For months, the attackers curated an active presence on X (formerly Twitter), posting regularly from multiple accounts and marketing their deceptive game using content created with generative AI and graphic designers,” they added.

    The group’s malicious activities spanned X, LinkedIn, and extended to personalized emails and websites crafted to deceive key targets.

    One such website duped users into downloading a ZIP file (“detankzone.zip”), containing a fully operational game requiring player registration, but also embedding a custom loader, dubbed YouieLoad, which had been previously documented by Microsoft.

    Furthermore, it’s suspected that Lazarus Group appropriated the source code for this game from a legitimate blockchain-based play-to-earn title, DeFiTankLand (DFTL), which suffered a breach in March 2024. This hack led to the theft of $20,000 in DFTL2 coins.

    Although the original developers attributed the breach to an insider, Kaspersky speculates that Lazarus Group orchestrated the attack, stealing both the game’s source code and the DFTL2 coins to further their malicious pursuits.

    “Lazarus remains one of the most relentless and technically proficient APT collectives, with financial gain driving much of their actions,” the researchers noted.

    “They’re continually refining their tactics, integrating more elaborate social engineering techniques, and have now started leveraging generative AI. We anticipate they will soon develop even more sophisticated, AI-driven attacks.”

    Recent Articles

    Related Stories