Kaspersky Lab researchers have uncovered a sophisticated cyber attack orchestrated by the North Korean hacking group Lazarus. This campaign, which targeted users worldwide, employed a multifaceted approach involving a malicious DeFi game website and the exploitation of a zero-day vulnerability in Google Chrome.
Discovery of New Manuscrypt Backdoor Variant
In May 2024, security experts identified a new version of the Manuscrypt backdoor on a client’s computer in Russia. Manuscrypt, a powerful tool utilized by the Lazarus Group since 2013, has been instrumental in attacks against various organizations, including government agencies, financial institutions, and IT and telecommunications companies.
Malicious DeFi Game Website as Bait
The investigation revealed that the infection source was detankzone[.]com, a website advertising an NFT-based tank MOBA game called DeTankZone. Marketed as a Play-To-Earn project, the game promised cryptocurrency rewards for virtual battles. However, the game’s functionality was limited to a login screen, with its internal infrastructure disabled.
Theft of Legitimate Game Source Code
Researchers discovered that the hackers had stolen the source code of a real game called DeFiTankLand, altering the logo and removing references to the original project. It is suspected that Lazarus also stole $20,000 in cryptocurrency from the original game developers’ wallet.
Exploitation of Chrome Zero-Day Vulnerability
A critical component of the attack was the exploitation of CVE-2024-4947, a zero-day vulnerability in Google Chrome. This flaw allowed attackers to gain control over the victim’s device, execute arbitrary code, and bypass security mechanisms. Infection occurred simply by visiting the malicious website, without requiring the game to be launched.
Additional Attack Vectors
The hackers also leveraged the vulnerability to bypass Chrome’s V8 sandbox (issue 330404819, patched in March 2024). Upon successful exploitation, the malicious code gathered information about the victim’s system and transmitted the data to the attackers’ servers.
Campaign Scale and Implications
Lazarus Group actively promoted the fake game on social media, utilized phishing emails, and employed premium LinkedIn accounts for targeted attacks. This campaign demonstrates the increasing complexity and ambition of cyber attacks, potentially threatening users and organizations worldwide.
This incident underscores the critical importance of maintaining vigilance in cybersecurity matters. Users are advised to regularly update browsers and operating systems, exercise caution with suspicious links and downloads, particularly those related to cryptocurrency projects. Organizations should strengthen their defense measures, including the implementation of advanced threat detection systems and conducting regular cybersecurity training for employees. As cyber threats continue to evolve, staying informed and proactive in security practices remains crucial for individuals and businesses alike.
