North Korean Lazarus Group Exploits Chrome Zero-Day with Fake DeFi Game

The Lazarus hacking group, based in North Korea, exploited a Google Chrome zero-day vulnerability (CVE-2024-4947) using a fake decentralized finance (DeFi) game aimed at cryptocurrency users. Kaspersky discovered the attack on May 13, 2024, and promptly informed Google about the flaw. Google then issued a patch for the vulnerability on May 25 with Chrome version 125.0.6422.60/.61. The campaign, which began in February 2024, involved a malware variant called "Manuscrypt" found on a customer's computer in Russia. Lazarus used the website detankzone[.]com to advertise an NFT-based tank battle game named DeTankZone, exploiting Chrome through a hidden script on the site. The game was based on stolen source code from a legitimate game called DeFiTankLand. While the game didn’t function past the login screen, the real attack happened in the background through the site’s exploit for the Chrome vulnerability. This gave Lazarus access to sensitive data like cookies, authentication tokens, and saved passwords. The attackers also used a second flaw to escape Chrome's V8 sandbox, allowing them to execute code remotely. Though Kaspersky couldn't fully analyze the later stages of the attack, the goal was likely to steal cryptocurrency. Read more...