The North Korean advanced persistent threat (APT) actor Lazarus was caught exploiting a zero-day vulnerability in Chrome to steal cryptocurrency from the visitors of a fake game website, Kaspersky reports.
Also referred to as Hidden Cobra and active since at least 2009, Lazarus is believed to be backed by the North Korean government and to have orchestrated numerous high-profile heists to generate funds for the Pyongyang regime.
Over the past several years, the APT has focused heavily on cryptocurrency exchanges and users. The group reportedly stole over $1 billion in crypto assets in 2023 and more than $1.7 billion in 2022.
The attack flagged by Kaspersky employed a fake cryptocurrency game website designed to exploit CVE-2024-5274, a high-severity type confusion bug in Chrome’s V8 JavaScript and WebAssembly engine that was patched in Chrome 125 in May.
“It allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities. Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection,” the Russian cybersecurity firm says.
According to Kaspersky, which was credited for reporting CVE-2024-5274 after finding the zero-day exploit, the security defect resides in Maglev, one of the three JIT compilers V8 uses.
A missing check for storing to module exports allowed attackers to set their own type for a specific object and cause a type confusion, corrupt specific memory, and gain “read and write access to the entire address space of the Chrome process”.
Next, the APT exploited a second vulnerability in Chrome that allowed them to escape V8’s sandbox. This issue was resolved in March 2024.
The attackers then executed a shellcode to collect system information and determine whether a next-stage payload should be deployed or not. The purpose of the attack was to deploy malware onto the victims’ systems and steal cryptocurrency from their wallets.
According to Kaspersky, the attack shows not only Lazarus’ deep understanding of how Chrome works, but the group’s focus on maximizing the campaign’s effectiveness.
The website invited users to compete with NFT tanks and was accompanied by social media accounts on X (formerly Twitter) and LinkedIn that promoted the game for months. The APT also used generative AI and attempted to engage cryptocurrency influencers for promoting the game.
Lazarus’ fake game website was based on a legitimate game, closely mimicking its logo and design, likely being built using stolen source code. Shortly after Lazarus started promoting the fake website, the legitimate game’s developers said $20,000 in cryptocurrency had been moved from their wallet.
Related: North Korean Fake IT Workers Extort Employers After Stealing Data
Related: Vulnerabilities in Lamassu Bitcoin ATMs Can Allow Hackers to Drain Wallets
Related: Phorpiex Botnet Hijacked 3,000 Cryptocurrency Transactions
Related: North Korean MacOS Malware Adopts In-Memory Execution
