Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The Lazarus Group, a North Korean cyber threat actor, is associated with the exploitation of a now-patched zero-day vulnerability in Google Chrome, allowing it to take control of infected devices. This discovery was made by cybersecurity vendor Kaspersky, which identified a sophisticated attack chain in May 2024, targeting a Russian national’s personal computer through the Manuscrypt backdoor. The operation reportedly began in February 2024, utilizing a fake game website, “detankzone[.]com,” specifically aimed at individuals in the cryptocurrency sector.

The deceptive website masqueraded as a professional product page for a decentralized finance (DeFi) multiplayer online tank game. Despite its benign appearance, it contained a hidden script that exploited a zero-day vulnerability in Chrome, effectively granting the attackers complete access to the victim’s computer. The vulnerability identified, CVE-2024-4947, is categorized as a type confusion bug in Chrome’s V8 JavaScript and WebAssembly engine and was patched by Google in May 2024.

Kaspersky noted that the use of a malicious tank game aligns with tactics attributed to another North Korean group known as Moonstone Sleet. This group employs social engineering strategies, luring potential victims via email or messaging platforms, masquerading as blockchain firms or game developers soliciting investments. Kaspersky’s findings underscore the significance of the zero-day exploit in this broader scheme.

The attack exploits two code vulnerabilities: one allows attackers to access the entire address space of the Chrome process via JavaScript (CVE-2024-4947), while the second bypasses the V8 sandbox restrictions. The latter was patched by Google in March 2024, although it remains unclear if Lazarus discovered this earlier or exploited it as an N-day vulnerability. Following successful exploitation, the actors deploy a validator resembling shellcode to collect and analyze system information to determine the machine’s value for further actions.

The group’s social engineering tactics show remarkable sophistication, as highlighted by Kaspersky’s observations. The attackers actively targeted prominent figures within the cryptocurrency sector, fostering a substantial social media presence to promote their malicious site. Their activities spanned platforms such as X (formerly Twitter) and LinkedIn, alongside tailored websites and spear-phishing techniques to penetrate their targets.

An enticing feature of the fraudulent website involved downloading a ZIP file (“detankzone.zip”), which, upon extraction, appears as a functional game while also embedding a custom loader dubbed YouieLoad. This loader facilitates additional malicious activities once executed. Furthermore, Kaspersky indicates that the Lazarus Group may have appropriated the source code from a legitimate blockchain game, DeFiTankLand, which was compromised in March 2024, leading to a theft of cryptocurrency.

The malicious repurposing of DeFiTankLand’s source code suggests the group’s intent to leverage existing frameworks for their nefarious purposes. Kaspersky’s analysis shows that Lazarus remains one of the most ambitious and sophisticated Advanced Persistent Threat (APT) actors, with financial motives driving much of their activity.

The attackers continue to evolve their strategies, incorporating advanced social engineering techniques and utilizing generative AI for malicious campaigns. Kaspersky predicts that this trend will persist, and the Lazarus Group will develop even more intricate attacks in the future, showcasing their ongoing adaptability and determination in the cyber threat landscape.