Lazarus APT exploited zero-day vulnerability in Chrome to steal cryptocurrency

Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a sophisticated malicious campaign by the Lazarus Advanced Persistent Threat (APT) group, targeting cryptocurrency investors worldwide. The attackers used a fake cryptogame website that exploited a zero-day vulnerability in Google Chrome to install spyware and steal wallet credentials. These findings were presented at the Security Analyst Summit 2024 in Bali.

In May 2024, Kaspersky experts, while analyzing incidents within Kaspersky Security Network telemetry, identified an attack using Manuscrypt malware, which has been used by the Lazarus group since 2013 and documented by Kaspersky GReAT in over 50 unique campaigns targeting various industries. Further analysis revealed a sophisticated malicious campaign that heavily relied on social engineering techniques and generative AI to target cryptocurrency investors.

The Lazarus group is known for its highly advanced attacks on cryptocurrency platforms and has a history of using zero-day exploits. This newly uncovered campaign followed the same pattern: Kaspersky researchers found that the threat actor exploited two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine. This zero-day vulnerability was fixed as CVE-2024-4947 after Kaspersky reported it to Google. It allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities. Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection.

The attackers exploited this vulnerability through a thoroughly designed fake game website that invited users to compete globally with NFT tanks. They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible. This included the creation of social media accounts on X (formerly known as Twitter) and LinkedIn to promote the game over several months, using AI-generated images to enhance credibility. Lazarus has successfully integrated generative AI into their operations, and Kaspersky experts anticipate that attackers will devise even more sophisticated attacks using this technology.

The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly.

A fake cryptogame website that exploited a zero-day vulnerability to install spyware

Details of the malicious campaign were presented at the Security Analyst Summit in Bali and now the full report is available on Securelist.com.

About Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware, and underground cyber-criminal trends across the world. Today GReAT consists of 40+ experts working globally – in Europe, Russia, Latin America, Asia, Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.