The North Korean risk actor generally known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched safety flaw in Google Chrome to grab management of contaminated units.
Cybersecurity vendor Kaspersky mentioned it found a novel assault chain in Might 2024 that focused the non-public laptop of an unnamed Russian nationwide with the Manuscrypt backdoor.
This entails triggering the zero-day exploit merely upon visiting a faux sport web site (“detankzone[.]com”) that was aimed on the people within the cryptocurrency sector. The marketing campaign is estimated to have commenced in February 2024.
“On the floor, this web site resembled a professionally designed product web page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer on-line battle enviornment (MOBA) tank sport, inviting customers to obtain a trial model,” Kaspersky researchers Boris Larin and Vasily Berdnikov mentioned.
“However that was only a disguise. Underneath the hood, this web site had a hidden script that ran within the consumer’s Google Chrome browser, launching a zero-day exploit and giving the attackers full management over the sufferer’s PC.”
The vulnerability in query is CVE-2024-4947, a sort confusion bug within the V8 JavaScript and WebAssembly engine that Google patched in mid-Might 2024.
The usage of a malicious tank sport (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) as a conduit to ship malware is a tactic that Microsoft has attributed to a different North Korean risk exercise cluster dubbed Moonstone Sleet.
These assaults are carried out by approaching potential targets by e-mail or messaging platforms, tricking them into putting in the sport by posing as a blockchain firm or a sport developer searching for funding alternatives.
Kaspersky’s newest findings add one other piece to the assault puzzle, highlighting the function performed by the zero-day browser exploit within the marketing campaign.
Particularly, the exploit comprises code for 2 vulnerabilities: the primary is used to present attackers learn and write entry to all the handle house of the Chrome course of from the JavaScript (CVE-2024-4947), and the second is abused to get across the V8 sandbox.
“The [second] vulnerability is that the digital machine has a hard and fast variety of registers and a devoted array for storing them, however the register indexes are decoded from the instruction our bodies and will not be checked,” the researchers defined. “This enables attackers to entry the reminiscence outdoors the bounds of the register array.”
The V8 sandbox bypass was patched by Google in March 2024 following a bug report that was submitted on March 20, 2024. That mentioned, it is presently not identified if the attackers found it earlier and weaponized it as a zero-day, or if it was exploited as an N-day vulnerability.
Profitable exploitation is adopted by the risk actor operating a validator that takes the type of a shellcode accountable for gathering system info, which is then used to find out if the machine is efficacious sufficient to conduct additional post-exploitation actions. The precise payload delivered after this stage is presently unknown.
“What by no means ceases to impress us is how a lot effort Lazarus APT places into their social engineering campaigns,” the Russian firm mentioned, mentioning the risk actor’s sample of contacting influential figures within the cryptocurrency house to assist them promote their malicious web site.
“For a number of months, the attackers had been constructing their social media presence, frequently making posts on X (previously Twitter) from a number of accounts and selling their sport with content material produced by generative AI and graphic designers.”
The attacker’s exercise has been noticed throughout X and LinkedIn, to not point out the specially-crafted web sites and e-mail messages despatched to targets of curiosity.
The web site can be designed to lure guests into downloading a ZIP archive (“detankzone.zip”) that, as soon as launched, is a completely practical downloadable sport that requires participant registration, but additionally harbors code to launch a customized loader codenamed YouieLoad, as beforehand detailed by Microsoft.
What’s extra, it is believed that the Lazarus Group stole the supply code for the sport from a legit blockchain play-to-earn (P2E) sport named DeFiTankLand (DFTL), which suffered a hack of its personal in March 2024, resulting in the theft of $20,000 price of DFTL2 cash.
Though the venture builders blamed an insider for the breach, Kaspersky suspects that the Lazarus Group was behind it, and that they stole the sport’s supply code alongside the DFTL2 cash and repurposed it to advance their targets.
“Lazarus is without doubt one of the most lively and complicated APT actors, and monetary acquire stays considered one of their prime motivations,” the researchers mentioned.
“The attackers’ ways are evolving and so they’re always arising with new, advanced social engineering schemes. Lazarus has already efficiently began utilizing generative AI, and we predict that they may provide you with much more elaborate assaults utilizing it.”