October 23, 2024 at 02:08PM
The North Korean Lazarus hacking group exploited a Google Chrome zero-day (CVE-2024-4947) through a fake DeFi game, targeting cryptocurrency users. Discovered by Kaspersky on May 13, 2024, the exploit gained access to sensitive data. Google issued a fix by May 25, 2024, addressing the vulnerability.
### Meeting Takeaways:
**Incident Overview:**
– The North Korean Lazarus hacking group exploited a zero-day vulnerability in Google Chrome (CVE-2024-4947) through a counterfeit decentralized finance (DeFi) game, targeting individuals in the cryptocurrency sector.
**Key Dates:**
– **Discovery of Attacks:** May 13, 2024, by Kaspersky.
– **Notification to Google:** Chrome zero-day flaw was reported on the same day.
– **Fix Released:** Google issued a patch for CVE-2024-4947 on May 25, 2024, with Chrome versions 125.0.6422.60/.61.
**Attack Details:**
– **Campaign Start:** February 2024, identified through a new variant of Manuscrypt malware found on a customer’s PC in Russia.
– **Targeting Methodology:** Lazarus demonstrated atypical targeting behavior by including random individuals in addition to typical high-value targets.
– **Exploitation Method:** The zero-day exploit was triggered through it detankzone[.]com, which hosted a fake NFT-based multiplayer online battle arena game named DeTankZone.
**Malware Insights:**
– The game was based on stolen code from a legitimate game, rebranded for malicious use.
– The 400MB ZIP download caused no malicious actions beyond a non-functional login/register screen due to backend infrastructure being inactive.
**Technical Mechanism:**
– A hidden script on detankzone[.]com exploited CVE-2024-4947, causing memory corruption in Chrome and granting the attackers access to sensitive data, such as cookies and passwords.
– A second vulnerability in Chrome’s V8 JavaScript engine allowed the attackers to escape the sandbox environment and achieve remote code execution.
– The shellcode used by Lazarus functioned as reconnaissance, gathering system information and checking for the value of the compromised machine.
**Outcome and Objectives:**
– The ultimate goal of the attack was likely the theft of cryptocurrency.
– Kaspersky was unable to analyze subsequent attack steps as the exploit was removed by Lazarus prior to further investigation.
### Action Items:
– Ensure systems are updated to the latest versions of Chrome to mitigate risks from the identified vulnerabilities.
– Monitor traffic for any signs of the detankzone[.]com domain or similar decoy sites.
– Continue analysis on potential target areas based on the attack patterns observed from Lazarus.