Companies

Lazarus APT exploited zero-day vulnerability in Chrome to steal cryptocurrency

Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a sophisticated malicious campaign by the Lazarus Advanced Persistent Threat (APT) group, targeting cryptocurrency investors worldwide. The attackers used a fake cryptogame website that exploited a zero-day vulnerability in Google Chrome to install spyware and steal wallet credentials. These findings were presented at the Security Analyst Summit 2024 in Bali.

In May 2024, Kaspersky experts, while analyzing incidents within Kaspersky Security Network telemetry, identified an attack using Manuscrypt malware, which has been used by the Lazarus group since 2013 and documented by Kaspersky GReAT in over 50 unique campaigns targeting various industries. Further analysis revealed a sophisticated malicious campaign that heavily relied on social engineering techniques and generative AI to target cryptocurrency investors.

The Lazarus group is known for its highly advanced attacks on cryptocurrency platforms and has a history of using zero-day exploits. This newly uncovered campaign followed the same pattern: Kaspersky researchers found that the threat actor exploited two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine. This zero-day vulnerability was fixed as CVE-2024-4947 after Kaspersky reported it to Google. It allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities. Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection.

The attackers exploited this vulnerability through a thoroughly designed fake game website that invited users to compete globally with NFT tanks. They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible. This included the creation of social media accounts on X (formerly known as Twitter) and LinkedIn to promote the game over several months, using AI-generated images to enhance credibility. Lazarus has successfully integrated generative AI into their operations, and Kaspersky experts anticipate that attackers will devise even more sophisticated attacks using this technology.

The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly.

A fake cryptogame website that exploited a zero-day vulnerability to install spyware

" While we’ve seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems. With notorious actors like Lazarus, even seemingly innocuous actions—such as clicking a link on a social network or in an email—can result in the complete compromise of a personal computer or an entire corporate network. The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide," commented Boris Larin, Principal Security Expert at Kaspersky’s GReAT.

Kaspersky experts discovered a legitimate game that appeared to have been a prototype for the attackers’ version. Shortly after the attackers launched the campaign for the promotion of their game, the real game developers claimed that US$20,000 in cryptocurrency had been transferred from their wallet. The fake game's logo and design closely mirrored the original, differing only in logo placement and visual quality. Given these similarities and overlaps in the code, Kaspersky experts emphasize that members of Lazarus went to great lengths to lend credibility to their attack. They created a fake game using stolen source code, replacing logos and all references to the legitimate game to enhance the illusion of authenticity in their nearly identical version.

Details of the malicious campaign were presented at the Security Analyst Summit in Bali and now the full report is available on Securelist.com.

About Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware, and underground cyber-criminal trends across the world. Today GReAT consists of 40+ experts working globally – in Europe, Russia, Latin America, Asia, Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.