Lazarus APT Exploits Chrome Zero-Day Vulnerability to Steal Cryptocurrency: A Deep Dive
A recent report by Kaspersky’s Global Research and Analysis Team (GReAT) has unveiled a sophisticated campaign orchestrated by the Lazarus Advanced Persistent Threat (APT) group, which has targeted cryptocurrency investors globally. By leveraging a zero-day vulnerability in Google Chrome, the attackers successfully exploited a fake cryptogame website to install spyware and steal sensitive wallet credentials. This alarming revelation was shared during the Security Analyst Summit 2024 held in Bali.
The Attack: How Lazarus Operated
In May 2024, Kaspersky’s analysis of telemetry data from the Kaspersky Security Network identified an attack involving Manuscrypt malware, a tool utilized by the Lazarus group since 2013. This notorious group has executed over 50 unique campaigns across various sectors, primarily targeting cryptocurrency platforms.
Sophisticated Techniques and Exploits
The recent campaign employed advanced social engineering techniques combined with generative AI to ensnare cryptocurrency investors. The Lazarus group exploited two significant vulnerabilities, one of which was a previously unknown type confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine. This zero-day vulnerability, later designated as CVE-2024-4947, allowed attackers to execute arbitrary code, bypass essential security features, and conduct various malicious activities. The second vulnerability was utilized to circumvent Google Chrome’s V8 sandbox protection.
The Fake Cryptogame Website
To execute their attack, the Lazarus group created an elaborate fake game website designed to lure users into a global competition featuring NFT tanks. The attackers worked hard to cultivate trust, ensuring that their promotional activities appeared credible. This included establishing fake social media accounts on platforms like X (formerly Twitter) and LinkedIn, promoting the game with AI-generated images to enhance authenticity.
The campaign was not only focused on direct attacks; Lazarus also attempted to engage cryptocurrency influencers, leveraging their social media presence to amplify the reach of the threat and target their crypto accounts directly.
Unprecedented Tactics and Ambitions
Kaspersky’s Principal Security Expert, Boris Larin, highlighted the unique nature of this campaign. He noted, “While we’ve seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems.” The extensive planning and execution of this campaign indicate that the Lazarus group had ambitious plans, potentially impacting users and businesses on a global scale.
The Real Game vs. The Fake Game
Kaspersky experts discovered a legitimate game that appeared to serve as the prototype for the attackers’ version. After launching their campaign, the real game developers reported a theft of US$20,000 in cryptocurrency from their wallet. The fake game closely resembled the original, with minor differences in logo placement and visual quality, raising concerns about the lengths to which the Lazarus group went to enhance the credibility of their attack.
This malicious campaign serves as a stark reminder of the evolving landscape of cyber threats, particularly those targeting cryptocurrency platforms. With the Lazarus APT group’s history of utilizing zero-day exploits, it is crucial for users to remain vigilant and protect their digital assets. The full report detailing these findings is now available on Securelist.com.
By understanding these threats and implementing robust security measures, individuals and businesses can safeguard themselves against increasingly sophisticated cyber attacks.
