“`html

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The nefarious North Korean cyber entity, Lazarus Group, has been implicated in the exploitation of a critical security flaw in Google Chrome, enabling them to gain control over compromised devices. This discovery, unveiled by cybersecurity experts, has added another layer of concern to the ongoing threat landscape.

In May 2024, cybersecurity firm Kaspersky uncovered a new attack chain that singled out the personal computer of a Russian individual. This attack employed the Manuscrypt backdoor in a well-coordinated attempt to hijack systems in the cryptocurrency realm.

The attack was orchestrated through a seemingly legitimate gaming website titled “detankzone[.]com,” which was actually a deceitful façade targeting individuals within the cryptocurrency sector. This malicious campaign is believed to have initiated around February 2024.

According to cybersecurity researchers, what appeared to be a professionally designed portal for a decentralized finance (DeFi) NFT-based multiplayer tank game was, in reality, a mechanism for deception. The site invited users to download a trial version of the game, masking its true intentions.

“Beneath the stylish exterior, an insidious script lay hidden, operating within the user’s Google Chrome browser to launch a powerful exploit that granted attackers unfettered control over the victim’s computer,” the cybersecurity experts explained.

The identified vulnerability, labeled CVE-2024-4947, is a type confusion glitch within the V8 JavaScript and WebAssembly engine. This flaw was rectified by Google in mid-May 2024, curbing the danger it posed to users worldwide.

Intriguingly, this was not the first instance of a malicious gaming platform acting as a vector for delivering malware. A similar trend was previously identified by Microsoft, connected to another North Korean threat group known as Moonstone Sleet.

These treacherous operations often involve approaching potential victims through emails or messaging platforms, coaxing them into downloading the deceptive game under the guise of a blockchain enterprise or a game developer seeking investment.

The latest developments from Kaspersky provide a deeper insight into such attacks, underscoring the pivotal role played by the zero-day browser exploit within these operations.

Specifically, the exploit harbors code for twin vulnerabilities. The first permits attackers to manipulate the entire address space of the Chrome process using JavaScript, while the second circumvents the V8 sandbox.

The second vulnerability arises because the virtual machine utilizes a fixed array for register storage, and the register indexes decoded from instructions are unverified. This loophole allows cybercriminals to access memory beyond the register array’s limits.

This V8 sandbox evasion was addressed by Google in March 2024, subsequent to a bug report submitted earlier that month. However, the timeline indicating whether hackers discovered or exploited it as a zero-day or N-day vulnerability remains unclear.

After a successful exploit, the attacker deploys a validator in the form of shellcode, tasked with gathering system details. The information aids in assessing the machine’s value for further exploitation, although the precise payload details remain undisclosed.

The Lazarus Group’s efforts in their social engineering campaigns are indeed remarkable and persistent. Their modus operandi often includes engaging with prominent figures in the cryptocurrency sector to help disseminate their malicious platforms.

For several months, the attackers have built a robust social media presence, consistently posting on platforms formerly known as Twitter, using generative AI and design professionals to promote their devious game.

Cyber adversaries have been actively utilizing social networks and professional platforms like LinkedIn, as well as tailored websites and email communications, to draw the interest of their targets.

This infamous website also attempts to entice users to download a ZIP file (“detankzone.zip”) which conceals a fully operational game, requiring user registration. However, it also includes code to activate a bespoke loader titled YouieLoad, as previously detailed in various cybersecurity reports.

Interestingly, it’s suspected that Lazarus Group purloined the source code for this game from a legitimate blockchain play-to-earn game named DeFiTankLand (DFTL). This breach in March 2024 resulted in the loss of $20,000 worth of DFTL2 coins.

While the developers of the compromised project attributed the breach to internal betrayal, suspicions lie upon Lazarus for acquiring the game source code and deploying it to fulfill their objectives.

Lazarus Group, notorious for their sophisticated attacks among Advanced Persistent Threat (APT) actors, demonstrates a primary drive centered on financial spoils. Their tactics show continuous evolution with increasingly intricate social engineering schemes.

Their adept use of generative AI features prominently in their arsenal, and it’s projected that even more sophisticated assaults will emerge as they refine their strategies.

“`