Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

The Lazarus Advanced Persistent Threat (APT) group, particularly its BlueNoroff subgroup, is a highly adept cybercriminal organization that primarily speaks Korean. Renowned for their sophisticated attacks, they have utilized a specific malware called Manuscrypt since 2013 across over 50 campaigns directed at various targets, including governments, financial institutions, and cryptocurrency platforms. On May 13, 2024, Kaspersky’s Kaspersky Total Security identified a Manuscrypt infection on a personal computer in Russia, which marked a rare instance of Lazarus targeting individuals as opposed to organizations.

Upon investigation of this anomaly, Kaspersky uncovered that the infection stemmed from a seemingly legitimate website, detankzone[.]com, which posed as a landing page for a decentralized finance (DeFi) game. However, hidden within the site was a script that executed a zero-day exploit targeting a vulnerability in the Google Chrome browser. This browser exploit gave attackers complete access to the victim’s computer, demonstrating a bait-and-switch tactic where the game served as a lure.

The exploit itself leveraged two vulnerabilities. The first vulnerability, designated as CVE-2024-4947, allowed attackers to read and write within the memory of the Chrome process, bypassing safety mechanisms thanks to a misconfiguration in the V8 JavaScript engine’s new Maglev compiler introduced in Chrome 117. The second vulnerability enabled the bypassing of the V8 heap sandbox, allowing arbitrary code execution outside the intended memory boundary.

Kaspersky adhered to responsible disclosure practices, promptly informing Google about the exploit. In response, Google issued a fix alongside a warning that blocked the access to the malicious site. However, Microsoft later published insights into the attack, revealing its own monitoring of the same campaign while failing to mention the critical nature of the zero-day vulnerability, which Kaspersky had identified.

Objecting to the vulnerability’s exploitation, the attackers executed a carefully orchestrated plan that involved manipulating Chrome’s JavaScript memory models and creating conditions to bypass the V8 sandbox for broader access to system memory. Subsequent analysis showed that attackers designed a legitimate-looking game interface to lure potential victims, showcasing their advanced social engineering skills.

The game itself was discovered to be a stolen version of a legitimate title named DeFiTankLand (DFTL). Efforts to analyze this game further confirmed that the attackers had hijacked its code base, thereby elevating the perceived authenticity of their campaign. This theft further illustrates the lengths to which Lazarus will go to craft believable attacks.

Lazarus’s diverse attack strategies are attributed to their relentless quest for financial gain. Their ongoing evolution in tactics, including the recent utilization of generative AI in their campaigns, underscores the sophistication inherent in their operations. Kaspersky anticipates that the group’s efforts will continue to evolve, particularly by leveraging the scope of zero-day exploits which pose significant threats to unsuspecting users.

In light of the inherent weaknesses in modern web browsers, including frequent vulnerabilities discovered in JIT compilers, Kaspersky warns users of the dangers linked to seemingly benign web interactions. The organization further encourages users to adopt alternative browsers, such as Microsoft Edge, which can function without JIT for enhanced security. As their exploits become more mature, the potential difficulty in successfully attacking browsers like Chrome increases, yet the threat from adversaries like Lazarus remains constant.

Ultimately, the existence of such vulnerabilities, particularly those found in the browsers and their compilers, remains a pressing concern for both cybersecurity professionals and end users. The detailed report also includes indicators of compromise outlining exploited domains, binaries, and tactics used in this sophisticated campaign, while emphasizing the ongoing vigilance required in defending against Lazarus’s cyberattacks.