Lazarus Group Exploits Google Chrome Flaw through Fake Gaming Site

The North Korean hacking group, known as the Lazarus Group, has been linked to a recent cyberattack that exploited a serious flaw in Google Chrome to take over users’ devices.

The attack, which has now been patched, leveraged a zero-day vulnerability, allowing hackers to gain control over infected computers through a carefully crafted fake gaming website.

The breach was first discovered in May 2024, when cybersecurity researchers identified an intricate attack chain involving the “Manuscrypt” backdoor.

The investigation began after the personal computer of an unnamed individual from Russia was compromised. According to the report, this campaign started in February 2024, targeting individuals in the cryptocurrency industry.

The fraudulent site, which impersonated a legitimate blockchain gaming page for a fictional decentralized finance (DeFi) tank game, invited users to download a trial version. However, beneath the professional-looking facade was a hidden script that launched a zero-day exploit, ultimately giving the attackers full control of the device.

The specific vulnerability involved, labeled CVE-2024-4947, was a “type confusion” issue in Chrome’s V8 JavaScript engine, patched by Google in mid-May 2024. Researchers noted the attackers also circumvented the V8 sandbox, a critical security layer, by exploiting a second flaw that allowed access to memory outside designated areas. Google addressed this vulnerability after a separate report in March 2024, though it’s uncertain if Lazarus exploited it as a zero-day.

Following initial access, Lazarus used shellcode to assess the compromised device’s value, determining if further exploitation was warranted. While the precise nature of the final malware payload remains unknown, Lazarus continued its scheme using social engineering tactics, engaging potential targets in the cryptocurrency space.

The attackers promoted their game using artificial intelligence and graphic design, creating a strong social media presence on platforms like X (formerly Twitter) and LinkedIn. This concerted effort was part of an elaborate campaign to attract cryptocurrency influencers, encouraging them to download malware-laden files from “detankzone.zip.”

Further analysis revealed that Lazarus may have stolen the source code for this fake game from a legitimate blockchain play-to-earn (P2E) game named “DeFiTankLand” following a hack in March 2024.

The breach, which also involved the theft of digital coins worth $20,000, was initially attributed to insider involvement. However, researchers believe Lazarus repurposed this stolen code to further their campaign, illustrating how the group’s sophisticated tactics continually evolve.

To reduce the risk of such attacks, users should remain cautious when engaging with unfamiliar websites, particularly those that prompt software downloads or registration. Avoid clicking on unsolicited links or downloading files from unknown sources, even if they appear on reputable platforms.