Chrome Zero-Day Uncovered in Lazarus Group’s Crypto Campaign
The North Korean Lazarus group exploited a zero-day vulnerability in the Google Chrome browser to steal cryptocurrency, disguising their actions through a malicious online game. This was revealed by Kaspersky Lab experts at the Security Analyst Summit 2024 in Bali.
The attackers created a website featuring a tank game, enticing users with promises of cryptocurrency rewards to lure them onto the platform and infect their devices.
The campaign was meticulously crafted. Over the course of several months, the cybercriminals promoted the game through international social networks, using AI-generated images and enlisting crypto influencers for advertising.
Kaspersky Lab experts discovered that the malicious game was a copy of an existing project, replicating almost all of its source code with only slight alterations to logos and visual elements. Notably, shortly after the campaign’s launch, the developers of the original game reported the theft of $20,000 in cryptocurrency from their wallet.
The Lazarus website concealed an exploit for Chrome that leveraged two vulnerabilities. One of these was previously unknown—a flaw in the V8 JavaScript and WebAssembly engine that allowed attackers to gain full control of the device, bypassing security mechanisms and executing malicious actions. Simply visiting the website, without even launching the game, was enough to infect the device.
Kaspersky Lab researchers promptly reported the issue to Google. As a result, the vulnerability, identified as CVE-2024-4947, was patched, and the malicious site was blocked. The second vulnerability used in the campaign did not receive a CVE designation but was also resolved.
Lazarus is notorious for its expertise in zero-day attacks, which require significant resources and time. The Manuscrypt backdoor, used in this operation, has been deployed by the group in more than 50 previous attacks targeting various organizations worldwide.
Boris Larin from Kaspersky Lab noted that Lazarus goes beyond standard methods, using fully-fledged gaming projects as a front to infect devices. This large-scale preparation underscores the group’s ambitious plans and the heightened risks posed to users and organizations globally.
