Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

North Korea’s notorious Lazarus Group is utilizing a well-designed pretend sport web site, a now-patched Chrome zero-day bug, skilled LinkedIn accounts, AI-generated photos, and different methods to attempt to steal from cryptocurrency customers worldwide.

The group seems to have launched the frilly marketing campaign in February and has since used a number of accounts on X and tricked influential figures within the cryptocurrency house to advertise their malware-infected crypto sport website.

Elaborate Marketing campaign

“Over time, we have now uncovered many [Lazarus] assaults on the cryptocurrency trade, and one factor is for certain: these assaults should not going away,” mentioned researchers at Kaspersky, after discovering the newest marketing campaign whereas investigating a latest malware an infection. “Lazarus has already efficiently began utilizing generative AI, and we predict that they’ll provide you with much more elaborate assaults utilizing it,” the safety vendor famous.

The state-sponsored Lazarus group could not fairly be a recognizable identify but, however it’s simply among the many most prolific and harmful cyber risk actors in operation. Since making headlines with an assault on Sony Pictures again in 2014, Lazarus — and subgroups equivalent to Andariel and Bluenoroff — have figured in numerous infamous safety incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and makes an attempt to steal COVID-vaccine-related secrets from main pharmaceutical firms in the course of the peak of the pandemic.

Analysts consider that lots of the group’s financially motivated assaults, together with these involving ransomware, card-skimming, and cryptocurrency customers, are actually attempts to generate revenue for the money-strapped North Korean authorities’s missile program.

Within the newest marketing campaign the group seems to have refined a number of the social engineering methods employed in previous campaigns. Central to the brand new rip-off is detankzone dot-com, a professionally designed product web page that invitations guests to obtain an NFT-based multiplayer on-line tank sport. Kaspersky researchers discovered the sport to be properly designed and purposeful, however solely as a result of Lazarus actors had stolen the supply code of a legit sport to construct it.

A Chrome Zero-Day and a Second Bug

Kaspersky discovered the web site to include exploit code for 2 Chrome vulnerabilities. One in all them, tracked as CVE-2024-4947, was a beforehand unknown zero-day bug in Chrome’s V8 browser engine. It gave the attackers a solution to execute arbitrary code inside a browser sandbox through a specifically crafted HTML web page. Google addressed the vulnerability in Might after Kaspersky reported the flaw to the corporate.

The opposite Chrome vulnerability that Kaspersky noticed within the newest Lazarus Group exploit is that it doesn’t seem to have a proper identifier. It gave the attackers a solution to escape the Chrome V8 sandbox fully and acquire full entry to the system. The risk actor used that entry to deploy shellcode for amassing info on the compromised system earlier than deciding whether or not to deploy additional malicious payloads on the compromised system, together with a backdoor called Manuscrypt.

What makes the marketing campaign noteworthy is the trouble that Lazarus Group actors seem to have put into its social engineering angle. “They targeted on constructing a way of belief to maximise the marketing campaign’s effectiveness, designing particulars to make the promotional actions seem as real as potential,” Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used a number of pretend accounts to advertise their website through X and LinkedIn alongside AI-generated content material and pictures to create an phantasm of authenticity round their pretend sport website.

“The attackers additionally tried to have interaction cryptocurrency influencers for additional promotion, leveraging their social media presence not solely to distribute the risk but in addition to focus on their crypto accounts instantly,” Larin and Berdnikov wrote.