- Lazarus used a fake NFT tank game as a front to hack users.
- The browser’s zero-day exploit allowed complete control of victims' PCs.
- Google fixed the vulnerability, but not before many were compromised.
Lazarus, the notorious North Korean cyber-espionage group, is at it again. This time, they used a zero-day vulnerability in Google Chrome to disguise their malicious software as a DeFi multiplayer online battle arena (MOBA) game.
Kaspersky reported on May 13, 2024, that their Total Security product detected the attack after a Russian user unknowingly downloaded malware from the fake game website.
Lazarus typically targets governments, banks, and large corporations, so this attack on a single user was unusual.
According to Kaspersky's investigation, the attack originated on detankzone[.]com, a website posing as a legitimate game page.
The site was created to trick players into downloading a trial version of a bogus tank-based game, all while secretly executing a zero-day exploit in Chrome.
This vulnerability enabled Lazarus to gain complete control of the user's computer.
The heart of this cyberattack was Chrome's V8 JavaScript engine, a critical component for processing web scripts.
Hackers discovered a way to manipulate memory by exploiting two vulnerabilities: one to access Chrome's process memory and another to bypass V8's security sandbox.
These flaws allowed Lazarus to infiltrate the user's system. Simply visiting the website was enough to infect any computer without warning.
Within two days of Kaspersky's notification, Google released a patch that addressed the vulnerabilities.
Detankzone[.]com, along with other sites associated with the attack, was blocked by Google, preventing further access and warning users of their malicious nature.
However, as the old adage says, “by the time the exploit was detected, the damage had been done.”
Subscribe to our newsletter
Interestingly, Microsoft published a blog post on May 28, 2024, that discussed the campaign under the name “Moonstone Sleet.”
Though their analysis was insightful, it failed to highlight the zero-day exploit in Chrome, which Kaspersky emphasized was critical to the attack.
Lazarus APT is no stranger to using social engineering to distribute malware. In this campaign, they used multiple accounts on X (formerly Twitter) to promote the fake NFT game with professionally designed content, generating interest from cryptocurrency influencers.
Lazarus persuaded these influencers to promote their game, thereby spreading the malware. They also used fake websites, LinkedIn accounts, and spear-phishing emails to lure more victims.
Kaspersky's researchers were attracted by the game and decided to download it themselves.
Despite the game's appealing design, it was mostly non-functional. Kaspersky engineers reverse-engineered the game, even launching their own game server to investigate its code.
They discovered that the entire game was built on stolen source code from another game called DeFiTankLand, whose developers had reported a $20,000 cryptocurrency theft earlier this year.
Lazarus had repurposed the game and its assets to launch their campaign, setting a new standard for attack planning.