The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices.
Cybersecurity vendor Kaspersky said it made the discovery after it came across a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor.
This entails triggering the zero-day exploit simply upon visiting a fake game website ("detankzone[.]com") that was aimed at individuals in the cryptocurrency sector. The campaign is estimated to have commenced in February 2024.
"On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version," Kaspersky researchers Boris Larin and Vasily Berdnikov said.
"But that was just a disguise. Under the hood, this website had a hidden script that ran in the user's Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim's PC."
The vulnerability in question is CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine that Google patched in mid-May 2024.
The use of a malicious tank game (DeTankWar, DeFiTankWar, DeTankZone, or TankWarsZone) as a conduit to deliver malware is a tactic that Microsoft has attributed to another North Korean threat activity cluster dubbed Moonstone Sleet.
These attacks are carried out by approaching prospective targets through email or messaging platforms, tricking them into installing the game by posing as a blockchain company or a game developer seeking investment opportunities.
Kaspersky's latest findings add another piece to the attack puzzle, highlighting the role played by the zero-day browser exploit in the campaign.
Specifically, the exploit contains code for two vulnerabilities: the first is used to give attackers read and write access to the entire address space of the Chrome process from the JavaScript (CVE-2024-4947), and the second is abused to get around the V8 sandbox.
"The [second] vulnerability is that the virtual machine has a fixed number of registers and a dedicated array for storing them, but the register indexes are decoded from the instruction bodies and are not checked," the researchers explained. "This allows attackers to access the memory outside the bounds of the register array."
The V8 sandbox bypass was patched by Google in March 2024 following a bug report that was submitted on March 20, 2024. That said, it's currently not known if the attackers discovered it earlier and weaponized it as a zero-day, or if it was exploited as an N-day vulnerability.
Successful exploitation is followed by the threat actor running a validator that takes the form of a shellcode responsible for gathering system information, which is then used to determine if the machine is valuable enough to conduct further post-exploitation actions. The exact payload delivered after this stage is currently unknown.
"What never ceases to impress us is how much effort Lazarus APT puts into their social engineering campaigns," the Russian company said, pointing out the threat actor's pattern of contacting influential figures in the cryptocurrency space to help them promote their malicious website.
"For several months, the attackers were building their social media presence, regularly making posts on X (formerly Twitter) from multiple accounts and promoting their game with content produced by generative AI and graphic designers."
The attacker's activity has been observed across X and LinkedIn, not to mention leveraging specially-crafted websites and spear-phishing techniques to infiltrate targets of interest.
The website is also designed to lure visitors into downloading a ZIP archive ("detankzone.zip") that, once launched, is a fully functional downloadable game that requires player registration, but also harbors code to launch a custom loader codenamed YouieLoad, as previously detailed by Microsoft.
What's more, it's believed that the Lazarus Group stole the source code for the game from a legitimate blockchain play-to-earn (P2E) game named DeFiTankLand (DFTL), which suffered a hack of its own in March 2024, leading to the theft of $20,000 worth of DFTL2 coins.
Although the project developers blamed an insider for the breach, Kaspersky suspects that the Lazarus Group was behind it, and that they stole the game's source code alongside the DFTL2 coins and repurposed it to advance their goals.
"Lazarus is one of the most active and sophisticated APT actors, and financial gain remains one of their top motivations," the researchers said.
"The attackers' tactics are evolving and they're constantly coming up with new, complex social engineering schemes. Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it."