Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a sophisticated malicious campaign by the Lazarus Advanced Persistent Threat (APT) group, targeting cryptocurrency investors worldwide. The attackers used a fake cryptogame website that exploited a zero-day vulnerability in Google Chrome to install spyware and steal wallet credentials. These findings were presented at the Security Analyst Summit 2024 in Bali.
In May 2024, Kaspersky experts, while analyzing incidents within Kaspersky Security Network telemetry, identified an attack using Manuscrypt malware, which has been used by the Lazarus group since 2013 and documented by Kaspersky GReAT in over 50 unique campaigns targeting various industries. Further analysis revealed a sophisticated malicious campaign that heavily relied on social engineering techniques and generative AI to target cryptocurrency investors.
The Lazarus group is known for its highly advanced attacks on cryptocurrency platforms and has a history of using zero-day exploits. This newly uncovered campaign followed the same pattern: Kaspersky researchers found that the threat actor exploited two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine. This zero-day vulnerability was fixed as CVE-2024-4947 after Kaspersky reported it to Google. It allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities. Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection.
The attackers exploited this vulnerability through a thoroughly designed fake game website that invited users to compete globally with NFT tanks. They focused on building a sense of trust to maximize the campaign’s effectiveness, designing details to make the promotional activities appear as genuine as possible. This included the creation of social media accounts on X (formerly known as Twitter) and LinkedIn to promote the game over several months, using AI-generated images to enhance credibility. Lazarus has successfully integrated generative AI into their operations, and Kaspersky experts anticipate that attackers will devise even more sophisticated attacks using this technology.
The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly.
A fake cryptogame website that exploited a zero-day vulnerability to install spyware
“ While we’ve seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems. With notorious actors like Lazarus, even seemingly innocuous actions—such as clicking a link on a social network or in an email—can result in the complete compromise of a personal computer or an entire corporate network. The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide,” commented Boris Larin, Principal Security Expert at Kaspersky’s GReAT.
Kaspersky experts discovered a legitimate game that appeared to have been a prototype for the attackers’ version. Shortly after the attackers launched the campaign for the promotion of their game, the real game developers claimed that US$20,000 in cryptocurrency had been transferred from their wallet. The fake game’s logo and design closely mirrored the original, differing only in logo placement and visual quality. Given these similarities and overlaps in the code, Kaspersky experts emphasize that members of Lazarus went to great lengths to lend credibility to their attack. They created a fake game using stolen source code, replacing logos and all references to the legitimate game to enhance the illusion of authenticity in their nearly identical version.
Details of the malicious campaign were presented at the Security Analyst Summit in Bali and now the full report is available on Securelist.com.