Lazarus hackers used pretend DeFi recreation to use Google Chrome zero-day

The North Korean Lazarus hacking group exploited a Google Chrome zero-day tracked as CVE-2024-4947 via a pretend decentralized finance (DeFi) recreation concentrating on people within the cryptocurrency area.

Kaspersky found the assaults on Might 13, 2024, and reported the Chrome zero-day flaw to Google.

Google issued a repair for CVE-2024-4947 on Might 25, with Chrome model 125.0.6422.60/.61.

Lazarus tank video games

Kaspersky found the marketing campaign, which began in February 2024, after detecting a brand new variant of the “Manuscrypt” backdoor malware on the non-public pc of one in all its clients in Russia.

Lazarus has been utilizing Manuscrypt for years, however the researchers have been intrigued by the risk actor’s atypical concentrating on scope, which seemingly included random people.

Additional telemetry confirmed that Google Chrome was exploited previous to the detection of the brand new Manuscrypt payload, with the exploitation originating from the “detankzone[.]com” web site. This web site promoted an NFT-based multiplayer on-line battle enviornment (MOBA) recreation themed round tanks named DeTankZone.

Lazarus promoted the sport closely via promoting campaigns on social media platforms like X, spear-phishing emails, and premium LinkedIn accounts utilized in direct assaults on high-value targets.

Upon downloading and reserve engineering the sport, Kaspersky found the sport was based mostly on stolen supply code from a reputable recreation named DeFiTankLand, which Lazarus had merely rebranded for his or her functions.

The 400MB ZIP obtain launches as anticipated, nevertheless it doesn’t work previous the login/registration display screen because the backend infrastructure for the sport was shut down. Moreover, it didn’t carry out any malicious actions on the goal’s system.

The Google Chrome exploitation occurs on the detankzone[.]com web site itself, which contained a hidden script (index.tsx) designed to set off an exploit for CVE-2024-4947, a kind confusion in V8, Chrome’s Javascript engine.

Lazarus' exploit on the fake game site
Lazarus’ exploit on the decoy web site
Supply: Kaspersky

Lazarus’ exploit script corrupted Chrome’s reminiscence by leveraging the app’s JIT compiler, Maglev, overwriting sections that finally gave them entry to all the handle area of Chrome’s course of.

At this stage, the attackers might entry cookies, authentication tokens, saved passwords, and searching historical past.

 Heap corruption with manipulated arrays and structures
 Heap corruption with manipulated arrays and buildings
Supply: Kaspersky

Chrome’s V8 sandbox isolates JavaScript execution from the remainder of the system, so Lazarus used a second flaw in V8 to flee it and obtain distant code execution, executing shellcode within the system’s reminiscence.

“This issue (330404819) was submitted and fixed in March 2024,” explains Kaspersky concerning the V8 escape flaw.

“It is unknown whether it was a bug collision and the attackers discovered it first and initially exploited it as a 0-day vulnerability, or if it was initially exploited as a 1-day vulnerability.”

The shellcode Lazarus used serves as a reconnaissance software, serving to the attackers decide if the compromised machine is efficacious sufficient to proceed the assault.

It collected CPU, BIOS, and OS info, carried out anti-VM and anti-debugging checks, and despatched the data to Lazarus’ command-and-control (C2) server.

Kaspersky didn’t have the possibility to look at the following assault steps, as, by the point of their evaluation, Lazarus had eliminated their exploit from the decoy web site.

Nevertheless,  based mostly on the individuals the malicious marketing campaign focused and their previous historical past, the assault’s final objective was prone to steal cryptocurrency.

Recent articles

North Korean Hackers Steal $10M with AI-Pushed Scams and Malware on LinkedIn

Nov 23, 2024Ravie LakshmananSynthetic Intelligence / Cryptocurrency The North Korea-linked...

Google Exposes GLASSBRIDGE: A Professional-China Affect Community of Pretend Information Websites

Nov 23, 2024Ravie LakshmananCloud Security / Risk Intelligence Authorities businesses...

China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Marketing campaign

Nov 22, 2024Ravie LakshmananCyber Espionage / Malware A China-linked nation-state...