The North Korean Lazarus hacking group has exploited a Google Chrome zero-day vulnerability, CVE-2024-4947, through a fake decentralized finance (DeFi) game targeting cryptocurrency users.
The cyberattack, discovered by Kaspersky on May 13, 2024, was aimed at individuals in the crypto space and involved the use of a malicious website promoting a fake game named DeTankZone.
Kaspersky promptly reported the Chrome vulnerability to Google, and by May 25, 2024, a patch was issued with Chrome version 125.0.6422.60/.61, effectively closing the security gap.
The Attack Unfolds
The campaign, which started in February 2024, was uncovered when Kaspersky detected a variant of the Manuscrypt malware on a Russian user’s computer. Lazarus had used Manuscrypt before, but this time their focus expanded to seemingly random targets. Their approach centered around the fake website detankzone[.]com, which advertised an NFT-based multiplayer online battle arena (MOBA) game themed around tanks. The site, however, concealed malicious code designed to exploit Chrome’s zero-day flaw.
Lazarus aggressively promoted this game through social media ads, spear-phishing emails, and even used premium LinkedIn accounts to target high-value individuals directly. Upon analysis, Kaspersky found that the game was based on stolen code from a legitimate game, DeFiTankLand, which the hackers rebranded.
Exploiting Chrome’s Vulnerability
The attack relied on a hidden script within the game’s website that exploited a flaw in Chrome’s V8 JavaScript engine, specifically a type confusion vulnerability. This allowed Lazarus to manipulate Chrome’s memory, giving them access to sensitive data such as cookies, authentication tokens, and browsing history.
After gaining this access, the attackers used another V8 flaw to break out of Chrome’s JavaScript sandbox and execute shellcode on the system, enabling remote code execution.
The shellcode collected reconnaissance data, such as CPU and OS details, and sent it back to Lazarus’ command-and-control (C2) server. Based on the campaign’s targets and Lazarus’ past activity, Kaspersky believes the ultimate goal was likely to steal cryptocurrency from high-value victims.
By the time Kaspersky analyzed the decoy site, the hackers had already removed their exploit, making further investigation difficult. However, the case highlights the ongoing risks in the cryptocurrency space and the sophisticated tactics employed by state-sponsored hacking groups like Lazarus.
