Lazarus Group Utilizes Chrome Zero-Day Exploit in Latest Cryptocurrency Heist

October 23, 2024

The Lazarus Group, a cybercrime unit linked to North Korea, is reportedly using a sophisticated scheme to defraud cryptocurrency investors worldwide. The operation involves a convincingly designed gaming website, a recently patched Chrome zero-day bug, artificial intelligence-generated images, and professional LinkedIn profiles. The campaign, which began in February, has employed numerous accounts to persuade prominent figures in the cryptocurrency sector to endorse their malware-infected gaming site.

Kaspersky researchers, who discovered the campaign while investigating a recent malware infection, noted, "Over the years, we have uncovered many [Lazarus] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away." The Lazarus Group, which includes subgroups Andariel and Bluenoroff, has been involved in numerous high-profile security incidents since it first attracted attention with an attack on Sony Pictures in 2014. The group's activities range from the WannaCry ransomware outbreak to attempts to steal COVID-vaccine-related information from leading pharmaceutical companies.

The group's financial motivation is believed to be supporting the cash-strapped North Korean government's missile program. The latest campaign shows an evolution in the group's social engineering tactics. At the heart of the scam is a professionally designed website for a multiplayer online tank game based on NFTs. The game, according to Kaspersky researchers, is well-designed and functional, but this is because the Lazarus actors stole the source code from a legitimate game.

The website was found to contain exploit code for two Chrome vulnerabilities. One of them, known as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. This allowed the attackers to execute arbitrary code within a browser sandbox via a specially crafted HTML page. Google has since fixed the vulnerability. Another Chrome vulnerability observed in the latest Lazarus Group exploit does not appear to have a formal identifier. This allowed the attackers to escape the Chrome V8 sandbox entirely and gain full system access. The threat actor used this access to deploy shellcode for gathering information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor known as Manuscrypt.

The campaign stands out due to the effort the Lazarus Group appears to have invested in its social engineering aspect. Kaspersky researchers Boris Larin and Vasily Berdnikov wrote, "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible." The group used multiple fake accounts to promote their site via various platforms and LinkedIn, along with AI-generated content and images to create an illusion of authenticity around their fake game site.

Related News

• PoC Exploit Surfaces for Google Chrome Zero-Day Vulnerability CVE-2024-4947
• CISA Includes Chrome Zero-Days in its Known Exploited Vulnerabilities Catalog
• Google Responds to Third Chrome Zero-Day Exploit in a Week

Latest News

• CISA Adds Microsoft SharePoint Vulnerability to Known Exploited Vulnerabilities Catalogue; Active Exploitation Reported
• Open Policy Agent (OPA) for Windows Vulnerability Risks Leaking NTLM Hashes
• New Exploit Unveiled for Windows Server 'WinReg' NTLM Relay Attack
• Active Exploitation of Samsung Zero-Day Vulnerability: An Alert from Google's Threat Analysis Group
• VMware Issues New Security Update for Critical vCenter Server RCE Vulnerability