Kaspersky’s Global Research and Analysis Team (GReAT) on Wednesday revealed that the infamous North Korean Lazarus Advanced Persistent Threat (APT) group exploited a now-patched Google Chrome zero-day vulnerability through a fake decentralized finance (DeFi) game to install spyware and steal wallet credentials.
On May 13, 2024, Kaspersky experts discovered a malicious campaign that had begun in February 2024 after they identified a new variant of the “Manuscrypt” backdoor malware on one of its customers’ computers in Russia.
Lazarus has been using the Manuscrypt malware since at least 2013, and it has been used in over 50 unique campaigns targeting various industries.
The sophisticated malicious campaign uncovered by Kaspersky depended heavily on social engineering techniques and generative AI to target cryptocurrency investors.
Kaspersky researchers found that the threat actor exploited two vulnerabilities, one of which was tracked as CVE-2024-4947, a previously unknown zero-day bug in Google Chrome’s V8 browser engine that allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
This vulnerability was fixed by Google on May 25, 2024, with Chrome version 125.0.6422.60/.61, after Kaspersky reported the flaw to the company.
Further, a second vulnerability allowed attackers to bypass Google Chrome’s V8 sandbox protection. Google patched the sandbox bypass vulnerability in March 2024.
For their campaign, the threat actors exploited the Google Chrome web browser, which originated from the website “detankzone[.]com.”
“On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version,” Kaspersky researchers Boris Larin and Vasily Berdnikov said.
“But that was just a disguise. Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC. Visiting the website was all it took to get infected — the game was just a distraction.”
Kaspersky discovered that the attackers used a legitimate NFT game—DeFiTankLand (DFTL)—as a prototype for the fake game and kept its design very similar to the original. To maintain the illusion seamlessly, the fake game was developed using the stolen source code; however, the logos and references were changed from the original version.
The researchers also added that the attackers contacted influential figures in the cryptocurrency space to make them promote their malicious website; their crypto wallets were also likely compromised.
On February 20, 2024, the attackers began their campaign and started advertising their tank game on X, following which cryptocurrencies $20,000 worth of DFTL2 coins were stolen from the developer of DeFiTankLand’s wallet.
Although the project developers blamed an insider for the breach, Kaspersky believes the Lazarus group was behind the attack.
“While we’ve seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems. With notorious actors like Lazarus, even seemingly innocuous actions—such as clicking a link on a social network or in an email—can result in the complete compromise of a personal computer or an entire corporate network. The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide,” commented Larin.