Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The notorious Lazarus Group from North Korea is attempting to steal from Bitcoin users all around the world by employing a well-designed phony game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated graphics, and other tactics.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign
The notorious Lazarus Group from North Korea is attempting to steal from Bitcoin users all around the world by employing a well-designed phony game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated graphics, and other tactics. The complex campaign seems to have started in February, and since then, the organization has promoted its malware-infected crypto game site by deceiving prominent figures in the cryptocurrency industry and using many X accounts.
Detailed Campaign
Kaspersky researchers found the most current campaign while looking into a recent malware outbreak. "Over the years, we have uncovered many [Lazarus] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," the researchers said. "Lazarus has already begun utilizing generative AI with success, and we anticipate that they will develop even more elaborate attacks using it," the security vendor noted.
Although its name may not be immediately familiar, the state-sponsored Lazarus gang is undoubtedly one of the most active and deadly cyber threat groups. Lazarus, along with subgroups like Andariel and Bluenoroff, have been involved in numerous high-profile security problems since gaining headlines in 2014 with an attack on Sony Pictures.
These have included attempts to obtain COVID-19 vaccine-related secrets from large pharmaceutical corporations during the height of the epidemic, the WannaCry ransomware attack, and the $81 million heist at the Bank of Bangladesh. Many of the group's financially driven attacks, such as those involving ransomware, card-skimming, and cryptocurrency users, are thought by analysts to be genuine attempts to raise money for the North Korean government's missile program, which is now struggling financially.
In the most recent campaign, the team seems to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well-designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.
A Second Bug and a Chrome Zero-Day
The website contained attack code for two Chrome vulnerabilities, according to Kaspersky. One of these, identified as CVE-2024-4947, was a zero-day vulnerability in Chrome's V8 browser engine that had not yet been discovered. It allowed the attackers to use a specially constructed HTML page to run arbitrary code inside a browser sandbox. After Kaspersky alerted Google to the vulnerability, the company fixed it in May.
The lack of a formal identification appears to be the other Chrome vulnerability that Kaspersky found in the most recent Lazarus Group hack. It allowed the attackers complete access to the system and a means of escaping the Chrome V8 sandbox. Using that access, the threat actor installed a shellcode to gather data about the compromised system before determining whether to install other malicious payloads, such as a backdoor known as Manuscript, on the compromised system.
The work that actors from the Lazarus Group seem to have put into the campaign's social engineering component is what sets it apart. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," the researchers at Kaspersky said. They used multiple fake accounts to promote their site via X and LinkedIn along with AI-generated content and images to create an illusion of authenticity around their fake game site. The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," the authors stated.