North Korean Lazarus Group Is Attacking Google Chrome Users

The notorious North Korean cyber espionage group, Lazarus, has been linked to the exploitation of a now-patched zero-day vulnerability in Google Chrome. This vulnerability allowed attackers to take full control of compromised devices. The discovery of this attack chain was made by cybersecurity firm Kaspersky in May 2024 and involved the deployment of the Manuscrypt backdoor.

Understanding the Vulnerability

The core of the attack involved exploiting CVE-2024-4947, a type confusion bug found in Chrome's V8 JavaScript and WebAssembly engine. This flaw enabled attackers to manipulate the browser’s memory, giving them read and write access to the entire address space of the Chrome process. The vulnerability was patched by Google in mid-May 2024, but before this fix, attackers used it as part of a broader malicious campaign.

What makes this campaign particularly concerning is the multi-layered nature of the attack. Lazarus combined this zero-day vulnerability with sophisticated social engineering techniques, targeting individuals in the cryptocurrency sector through a fake game website.

How the Attack Was Carried Out

The attack began with victims visiting a seemingly legitimate website for a game called “DeTankZone.” This site was designed to appear as a decentralized finance (DeFi) multiplayer game involving NFTs (non-fungible tokens), targeting those in the cryptocurrency space. However, hidden within the website’s code was a malicious script designed to exploit the zero-day vulnerability in Chrome.

Once the user visited the site, the script would silently launch the exploit, allowing the attackers to execute arbitrary code on the victim’s device without their knowledge. This initial phase granted Lazarus access to the compromised device, setting the stage for further malicious actions.

The attack didn’t stop with just one vulnerability. Lazarus also leveraged a second flaw in Chrome's V8 engine, which enabled them to bypass the browser’s sandbox security mechanisms. This second vulnerability, patched by Google in March 2024, allowed attackers to escalate their privileges within the system, moving beyond Chrome and gaining deeper access to the victim’s machine.

Social Engineering and Financial Ties

As with many of their previous campaigns, Lazarus relied heavily on social engineering. The group went as far as building a fake online presence across social media platforms such as X (formerly Twitter) and LinkedIn to promote the DeTankZone game. Using fake personas, they approached influential figures in the cryptocurrency community, luring them to promote the game or to download and test it.

Once the game was downloaded, it came packaged in a ZIP file that, when opened, contained a functional game alongside a custom loader malware known as YouieLoad. This loader, once executed, delivered additional malware to the victim’s system, enabling Lazarus to maintain long-term access to the compromised device.

Further complicating the story is the suspected theft of the game’s source code. Kaspersky researchers believe that Lazarus stole the code from a legitimate blockchain game called DeFiTankLand (DFTL), which was hacked in March 2024. This theft resulted in the loss of $20,000 worth of cryptocurrency and likely gave Lazarus the tools needed to build their fake game, advancing their attack campaign.

Who Is at Risk?

The primary targets of this attack were individuals and organizations involved in the cryptocurrency space, particularly those with connections to decentralized finance (DeFi) and NFT-related projects. However, given the broad tactics employed by Lazarus, anyone who interacts with similar websites or receives unsolicited communications from social media could potentially be at risk.

This campaign also underscores a growing trend in cyber espionage groups like Lazarus to use legitimate-looking games and social media networks to lure victims, especially in the financial sector where the potential for high returns on stolen data is substantial.

How to Protect Yourself

Given the sophistication of this attack, protecting yourself requires a multi-pronged approach:

1. Update Software Regularly: Ensure that your browser and operating system are always updated to the latest versions. Google patched this vulnerability in mid-May 2024, so users who regularly update their systems were protected from this specific exploit.

2. Be Cautious of Social Engineering: Always be skeptical of unsolicited invitations, especially those promising financial or investment opportunities. This is particularly important if you are involved in the cryptocurrency space, which remains a frequent target for threat actors like Lazarus.

3. Use Robust Security Solutions: Employ reputable antivirus and endpoint protection solutions to help identify and block malicious websites and downloads. These tools can add an extra layer of protection, even if a vulnerability has not yet been patched.

4. Educate Yourself on Phishing Attacks: Threat actors often rely on phishing emails to lure their targets. Understanding how phishing works and being aware of common signs, such as unsolicited attachments or requests for personal information, can help you avoid falling victim.

5. Monitor Your Accounts: Regularly review your online accounts for any suspicious activity. If you notice any unauthorized logins or changes to your accounts, act immediately by changing your passwords and enabling multi-factor authentication (MFA).

Conclusion

The Lazarus Group continues to demonstrate a high level of sophistication in their cyberattacks. By exploiting zero-day vulnerabilities and leveraging advanced social engineering tactics, they remain a significant threat, particularly to individuals and organizations in the cryptocurrency sector. Staying informed about the latest threats and taking proactive steps to secure your devices and accounts is crucial to minimizing the risk of becoming a victim.