Lazarus, the notorious North Korean cyber-espionage group, is at it again. This time, they used a zero-day vulnerability in Google Chrome to disguise their malicious software as a DeFi multiplayer online battle arena (MOBA) game.
Kaspersky reported on May 13, 2024, that their Total Security product detected the attack after a Russian user unknowingly downloaded malware from the fake game website.
Lazarus typically targets governments, banks, and large corporations, so this attack on a single user was unusual.
According to Kaspersky's investigation, the attack originated on detankzone[.]com, a website posing as a legitimate game page.
The site was created to trick players into downloading a trial version of a bogus tank-based game, all while secretly executing a zero-day exploit in Chrome.
This vulnerability enabled Lazarus to gain complete control of the user's computer.
The heart of this cyberattack was Chrome's V8 JavaScript engine, a critical component for processing web scripts.
Hackers discovered a way to manipulate memory by exploiting two vulnerabilities: one to access Chrome's process memory and another to bypass V8's security sandbox.
These flaws allowed Lazarus to infiltrate the user's system. Simply visiting the website was enough to infect any computer without warning.
Within two days of Kaspersky's notification, Google released a patch that addressed the vulnerabilities.
Detankzone[.]com, along with other sites associated with the attack, was blocked by Google, preventing further access and warning users of their malicious nature.
However, as the old adage says, “by the time the exploit was detected, the damage had been done.”
Interestingly, Microsoft published a blog post on May 28, 2024, that discussed the campaign under the name “Moonstone Sleet.”
Though their analysis was insightful, it failed to highlight the zero-day exploit in Chrome, which Kaspersky emphasized was critical to the attack.
Lazarus APT is no stranger to using social engineering to distribute malware. In this campaign, they used multiple accounts on X (formerly Twitter) to promote the fake NFT game with professionally designed content, generating interest from cryptocurrency influencers.
Lazarus persuaded these influencers to promote their game, thereby spreading the malware. They also used fake websites, LinkedIn accounts, and spear-phishing emails to lure more victims.
Kaspersky's researchers were attracted by the game and decided to download it themselves.
Despite the game's appealing design, it was mostly non-functional. Kaspersky engineers reverse-engineered the game, even launching their own game server to investigate its code.
They discovered that the entire game was built on stolen source code from another game called DeFiTankLand, whose developers had reported a $20,000 cryptocurrency theft earlier this year.
Lazarus had repurposed the game and its assets to launch their campaign, setting a new standard for attack planning.
So disheartening to know that people can be so wicked to their fellow humans. I had experienced this in a rather awful way, I had fallen prey to a phishing email sent to the email address that I used in creating my Binance account. The email looked real and convincing. They had even masked the From email header so it looked like the email came from the original Binance official email account. They claimed my account had a security vulnerability that can lead to my crypto funds getting stolen by potential attackers. On hearing this, I quickly followed the steps that were included in the email message body. I had provided them my credentials to my Binance, and guess what….. Yeah… You got it, my whole crypto portfolio totaling $86k was swiped empty. I almost committed the unthinkable, but I later got connected to a recovery agent who specializes in crypto recovery. I didn’t believe it would yield any success, but to my surprise, the crypto recovery agency started tracking and tracing the funds on the blockchain and they were able to recover back $67k. They saved my life, so I owe it all to recoveryhacker101-Expert for helping me when all hope was lost. I can’t help but think that there are quite a several people out there who have lost their crypto funds one way or the other. You can reach out to the same agency that helped me, their contact info is recoveryhacker101@gmailcom. Don’t lose hope yet.