Cybersecurity Threat Report: Lazarus APT Exploited Zero-Day Vulnerability in Chrome to Steal Crypto

Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a sophisticated malicious campaign by the Lazarus Advanced Persistent Threat (APT) group, targeting cryptocurrency investors worldwide.

The attackers allegedly used a “fake” cryptogame website that exploited a zero-day vulnerability in Google Chrome to “install spyware and steal wallet credentials.”

In May of this year, Kaspersky team members, while analyzing incidents within Kaspersky Security Network telemetry, had reportedly “identified an attack using Manuscrypt malware, which has been used by the Lazarus group since 2013 and documented by Kaspersky GReAT in over 50 unique campaigns targeting various industries. Further analysis revealed a “sophisticated malicious campaign that heavily relied on social engineering techniques and generative AI to target cryptocurrency investors.”

The Lazarus group is known for its highly advanced attacks on cryptocurrency platforms and has “a history of using zero-day exploits.”

This uncovered campaign followed the same pattern: Kaspersky researchers found that the threat actor exploited “two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine.”

This zero-day vulnerability was fixed “as CVE-2024-4947” after Kaspersky reported it to Google.

It allowed attackers to execute “arbitrary code, bypass security features, and conduct various malicious activities.”

Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection.

The attackers exploited this vulnerability through “a thoroughly designed fake game website that invited users to compete globally with NFT tanks.”

They focused on building a sense of trust to maximize the campaign’s effectiveness, designing details to make the “promotional activities appear as genuine as possible.”

This included the creation of social media accounts on X (formerly known as Twitter) and LinkedIn to “promote the game over several months, using AI-generated images to enhance credibility.”

Lazarus has integrated generative AI into their operations, and Kaspersky experts anticipate that attackers will “devise even more sophisticated attacks using this technology.”

The attackers also attempted to engage cryptocurrency influencers for further promotion, “leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly.”

Kaspersky experts discovered a legitimate game “that appeared to have been a prototype for the attackers’ version.”

Shortly after the attackers launched the campaign for the promotion of their game, the real game developers “claimed that US$20,000 in cryptocurrency had been transferred from their wallet.”

The fake game’s logo and design closely “mirrored the original, differing only in logo placement and visual quality.

Given these similarities and overlaps in the code, Kaspersky experts emphasize that “members of Lazarus “went to great lengths to lend credibility to their attack.”

They created a fake game using stolen source code, replacing logos and all references to the “legitimate game to enhance the illusion of authenticity in their nearly identical version.”

Established back in 2008, Global Research & Analysis Team (GReAT) operates at the heart of Kaspersky, “uncovering APTs, cyber-espionage campaigns, major malware, ransomware, and underground cyber-criminal trends across the world.”

Today GReAT consists of 40+ professionals working globally – in Europe, Russia, Latin America, Asia, Middle East.

Security professionals provide company leadership in “anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.”



Sponsored Links by DQ Promote

 

 

Send this to a friend