Introduction
In early 2024 [1], a sophisticated cyber-attack orchestrated by the Lazarus Group, a North Korean state-sponsored hacking collective [7], exploited a critical zero-day vulnerability in Google Chrome [1] [2] [3] [4] [5] [7] [8]. This attack, which targeted cryptocurrency investors worldwide [4], underscores the persistent threat posed by advanced persistent threats (APTs) and highlights the importance of vigilance and timely security updates.
Description
A cyber-attack attributed to the Lazarus Group, a North Korean state-sponsored hacking collective [7], including its BlueNoroff subgroup [3], has exploited a critical zero-day vulnerability in Google Chrome [1] [2] [3] [4] [5] [7] [8], tracked as CVE-2024-4947 [1] [2] [5] [6] [7]. This type confusion flaw in the V8 JavaScript engine [7] [8], specifically related to a new optimizing compiler called Maglev introduced in late 2023 [5], allowed remote attackers to execute arbitrary code via a specially crafted HTML page [6]. The exploit enabled attackers to gain full control over the victim’s device [5], leading to the potential theft of sensitive information such as cookies [7], authentication tokens [7], and saved passwords [7]. The sophisticated campaign [4], dubbed “DeTankZone,” began in February 2024 and targeted cryptocurrency investors globally. It was uncovered by Kaspersky’s Global Research and Analysis Team (GReAT) when Manuscrypt malware, a backdoor previously associated with Lazarus and used in over 50 documented campaigns since 2013, was detected on the personal computer of a Russian national.
The malicious website [7] [8], detankzone.com [3] [5] [7] [8], masqueraded as a legitimate platform for a decentralized finance (DeFi) NFT-based multiplayer online battle arena game [8], utilizing stolen source code from a legitimate project [7], DeFiTankLand [7], to lure victims [7]. This fully functional game served as a cover for the attackers, who embedded harmful code that executed the exploit upon visit. The exploit allowed them to manipulate memory within Chrome processes and bypass the V8 sandbox, granting them read and write access to the entire address space of the Chrome process [8]. The attackers employed social engineering techniques [1], including the use of generative AI and multiple fake accounts on platforms like X (formerly Twitter) and LinkedIn, to create a sense of trust and promote their malware-infected game site through cryptocurrency influencers. Following the launch of the campaign [1], approximately $20,000 worth of cryptocurrency was stolen from the wallets of game developers and influencers alike [1]. Google patched this vulnerability on May 15, 2024, in Chrome versions 125.0.6422.60 and 125.0.6422.61, following Kaspersky’s report of the issue.
Key vulnerabilities involved in this campaign include:
- CVE-2024-4947: A flaw in Chrome’s Maglev compiler that allows memory structure overwrites and the execution of arbitrary code [3], enabling the installation of spyware and the theft of wallet credentials [4].
- V8 Sandbox Bypass: A second vulnerability, lacking a formal identifier [2], that enabled attackers to escape the Chrome V8 sandbox and gain full system access [2], facilitating the deployment of shellcode for information gathering and potentially further malicious payloads [2].
While Kaspersky followed responsible disclosure practices [3], a related report from Microsoft [3] [5], released on May 28, 2024, overlooked the zero-day aspect and attributed the attack to a newly identified North Korean threat actor named Moonstone Sleet [5]. As Lazarus refines its tactics [3], including social engineering and the use of legitimate-looking platforms [3], vigilance is essential for both organizations and individuals to mitigate the risks posed by such advanced persistent threats.
Conclusion
The “DeTankZone” campaign exemplifies the evolving tactics of state-sponsored hacking groups like Lazarus, emphasizing the critical need for robust cybersecurity measures. The exploitation of zero-day vulnerabilities and sophisticated social engineering techniques highlight the importance of timely software updates and user awareness. As threat actors continue to adapt and refine their methods, organizations and individuals must remain vigilant and proactive in safeguarding their digital assets against such advanced threats.
References
[1] https://www.zdnet.de/88418757/hackergruppe-lazarus-nutzt-zero-day-luecke-in-chrome/
[2] https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-exploits-chrome-zero-day-campaign
[3] https://www.infosecurity-magazine.com/news/lazarus-group-exploits-google/
[4] https://www.kaspersky.com/about/press-releases/lazarus-apt-exploited-zero-day-vulnerability-in-chrome-to-steal-cryptocurrency
[5] https://informationsecuritybuzz.com/the-lazarus-apt-strikes-again-zero-day/
[6] https://www.techworm.net/2024/10/lazarus-hacker-exploit-google-chrome-zero-day.html
[7] https://socradar.io/lazarus-exploits-google-chrome-zero-day-to-steal-cryptocurrency-in-detankzone-campaign-cve-2024-4947/
[8] https://thehackernews.com/2024/10/lazarus-group-exploits-google-chrome.html
