The North Korean cyber threat actor known as the Lazarus Group has been linked to the exploitation of a now-patched zero-day vulnerability in Google Chrome, enabling them to seize control of infected devices. According to cybersecurity firm Kaspersky, this attack chain was uncovered in May 2024, targeting the personal computer of an unnamed Russian national using the Manuscript backdoor.
The campaign, estimated to have begun in February 2024, involved a fake game website named "detankzone[.]com," designed to lure individuals in the cryptocurrency sector. The site masqueraded as a professional product page for a decentralized finance (DeFi) multiplayer online battle arena (MOBA) tank game, encouraging users to download a trial version. However, beneath this façade lay a hidden script that executed a zero-day exploit in the victim's Google Chrome browser, granting attackers complete access to the infected PC.
The vulnerability, identified as CVE-2024-4947, is a type of confusion bug in the V8 JavaScript and WebAssembly engine, which Google patched in mid-May 2024. Kaspersky noted that the method of using a fraudulent tank game to distribute malware aligns with tactics attributed to another North Korean group known as Moonstone Sleet. This approach often involves deceptive emails or messages to entice targets into installing the game, disguised as legitimate blockchain investment opportunities.
Kaspersky's investigation highlights the exploit's dual vulnerabilities: the first allows attackers to gain read and write access to the Chrome process's entire address space from JavaScript (CVE-2024-4947), while the second facilitates bypassing the V8 sandbox security feature. Although Google patched the sandbox vulnerability in March 2024, it remains unclear whether the Lazarus Group discovered and weaponized it before the patch or exploited it as an N-day vulnerability.
After successful exploitation, the attackers deploy a validator shellcode to gather system information, assessing whether the compromised device is valuable enough for further actions. The exact nature of the follow-up payload remains undisclosed.
Kaspersky researchers noted the extensive effort Lazarus puts into social engineering, particularly targeting influential figures within the cryptocurrency community to promote their malicious website. Over several months, the attackers built a social media presence, frequently posting on X (formerly Twitter) and LinkedIn, using generative AI and graphic design to create engaging content for their game.
The website also entices visitors to download a ZIP archive, "detankzone.zip," containing a playable game that requires user registration while also executing a custom loader called YouieLoad. Furthermore, it is believed that the Lazarus Group stole the source code for this game from a legitimate blockchain play-to-earn (P2E) project named DeFiTankLand, which was hacked in March 2024, resulting in the theft of $20,000 worth of DFTL2 coins.
Kaspersky suspects the Lazarus Group was behind the breach and repurposed the stolen source code to further their malicious objectives. The researchers emphasized that Lazarus remains one of the most active and sophisticated advanced persistent threat (APT) groups, with financial gain as a primary motivation. They predict that the group will continue to innovate, developing even more complex social engineering schemes, and potentially leveraging generative AI in future attacks.
