An unrecognized organization from North Korea, recognized as Lazarus Group, has exploited a vulnerability in Google Chrome to take command of compromised devices.
Kaspersky, a provider of cybersecurity services, disclosed in May 2024 the detection of a unique sequence of attacks that focused on the personal computer of an unnamed Russian individual via the Manuscrypt backdoor.
This strategy involves activating the exploit immediately upon entering a fraudulent gaming website (“detankzone[.]com”), which targeted individuals within the cryptocurrency industry. The operation is assumed to have started in February 2024.
“Superficially, this site appeared like a well-designed retail page for a decentralized finance (DeFi) NFT-based multiplayer online battle arena (MOBA) tank game, encouraging users to download a trial version,” explained Kaspersky researchers Boris Larin and Vasily Berdnikov commented.
“However, this was merely a façade. Beneath it, the website contained a concealed script that ran in the user’s Google Chrome browser, using a zero-day exploit to grant the attackers complete control over the victim’s personal computer.”
The specific vulnerability is identified as CVE-2024-4947, a type misinterpretation flaw within the V8 JavaScript and WebAssembly engine that Google rectified in mid-May 2024.
The tactic of using a malevolent tank game (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) to introduce malware is a method that Microsoft attributes to another North Korean cyber threat cluster known as Moonstone Sleet.
These assaults are facilitated by reaching out to potential targets via email or messaging platforms, deceiving them into installing the game under the guise of a blockchain firm or a game developer seeking investment opportunities.
The latest discoveries by Kaspersky contribute another element to the attack puzzle, emphasizing the critical role of the zero-day browser exploit in the scheme.
Specifically, the exploit incorporates code for two vulnerabilities: the initial one grants assailants read and write permissions to the whole address space of the Chrome process from JavaScript (CVE-2024-4947), and the second is exploited to bypass the V8 sandbox.
“The [second] vulnerability arises from the fact that the virtual machine has an established number of registers and a dedicated array to store them, but the register indices are decoded from the instruction contents and aren’t authenticated,” clarified the researchers. “This allows malicious actors to access memory beyond the boundaries of the register array.”
The V8 sandbox bypass was corrected by Google in March 2024 after a bug report was submitted on March 20, 2024. Nonetheless, it remains uncertain whether the attackers became aware of it prematurely and converted it into a zero-day exploit, or if it was utilized as an N-day vulnerability.
Achieving successful exploitation entails the threat actor executing a validator that materializes as a shellcode tasked with collecting system details to determine the significance of the machine for conducting further post-exploitation activities. The precise payload dispatched following this phase is currently undisclosed.
“What continually astounds us is the extent of effort invested by Lazarus APT into their social engineering campaigns,” highlighted the Russian firm, pointing out the pattern of the threat actor reaching out to influential figures in the cryptocurrency arena to help promote their deceitful website.
“For several months, the assailants were enhancing their social media presence, regularly composing posts on X (previously Twitter) from various accounts and promoting their game utilizing content generated through artificial intelligence and graphic designers.”
The adversary’s actions have been sighted on X and LinkedIn, besides the tailor-made websites and email messages aimed at individuals of concern.
The website is designed to entice visitors into downloading a ZIP file (“detankzone.zip”) that, once initiated, becomes a fully operational downloadable game requiring player registration, but embedded with code to initiate a custom loader dubbed YouieLoad, previously specified by Microsoft.
Furthermore, it is suspected that Lazarus Group pilfered the game’s source code from a legitimate blockchain play-to-earn (P2E) game named DeFiTankLand (DFTL), which underwent a breach of its own in March 2024, leading to the unauthorized transfer of $20,000 worth of DFTL2 coins.
While the developers of the project attributed the breach to an internal actor, Kaspersky suspects that Lazarus Group was responsible and availed themselves of the game’s source code alongside the DFTL2 coins to advance their objectives.
“Lazarus remains one of the most diligent and sophisticated APT factions, with financial gain continuing to be a foremost motivation for their operations,” suggested the researchers.
“The strategies of the assailants are progressing, and they are continuously devising new and intricate social engineering ploys. Lazarus has already begun integrating generative AI and we anticipate they will devise even more elaborate schemes utilizing this technology.”
About Author
