Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

North Koreas infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.
The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.
Over the years, we have uncovered many [Lazarus] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away, said
researchers at Kaspersky
, after discovering the latest campaign while investigating a recent malware infection. Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it, the security vendor noted.
The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on
Sony Pictures
back in 2014, Lazarus — and subgroups such as
Andariel
and
Bluenoroff
— have

figured in countless notorious security incidents. These have included the
WannaCry ransomware
outbreak, the $81 million heist at
Bank of Bangladesh
, and attempts to
steal COVID-vaccine-related secrets
from major pharmaceutical companies during the height of the pandemic.
Analysts believe that many of the groups financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really
attempts to generate revenue
for the money-strapped North Korean governments missile program.
In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.
Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as
CVE-2024-4947,
was a previously unknown zero-day bug in Chromes V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google
addressed the vulnerability
in May after Kaspersky reported the flaw to the company.
The other
Chrome vulnerability
that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including
a backdoor called Manuscrypt
.
What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. They focused on building a sense of trust to maximize the campaigns effectiveness, designing details to make the promotional activities appear as genuine as possible, Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.
The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly, Larin and Berdnikov wrote.

Last News
▸ Gartner: Secure Mobile Users Early ◂ Discovered: 26/12/2024 Category: security	▸ Security pros top concern: Rogue employees, study finds. ◂ Discovered: 26/12/2024 Category: security	▸ Obama supports NSA Prism program, Google denies access point ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lazarus Group Exploits Chrome Zero-Day in Latest Campaign