Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a sophisticated malicious campaign by the Lazarus Advanced Persistent Threat Group (APT), which targets cryptocurrency investors around the world.
Attackers used a fake cryptogame website that exploited a Google Chrome browser zero-day vulnerability to install spyware and steal cryptocurrency wallet credentials. These findings are presented at SAS(1) conference that is being held in Bali this year.
In May 2024, Kaspersky experts, analyzing incidents within Kaspersky Security Network telemetry, identified an attack using the Manuscript malware used by the Lazarus group since 2013 and detected by the Kaspersky GReAT team in over 50 unique campaigns targeting various industries. Further analysis revealed a sophisticated malicious campaign that relied heavily on social engineering techniques and generative artificial intelligence to target cryptocurrency investors.
The Lazarus group is known for its highly advanced attacks on cryptocurrency platforms and has a history of using zero-day exploits. This newly discovered campaign followed the same pattern: Kaspersky researchers discovered that the threat actor exploited two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s open-source JavaScript, and the WebAssembly core. This zero-day vulnerability was patched as CVE-2024-4947 after Kaspersky reported it to Google. This allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities. Another vulnerability was used to bypass Google Chrome V8 sandbox protection.
Attackers exploited this vulnerability through a thoroughly designed fake game website that invited users to compete globally with NFT tanks. They focused on building a sense of trust to maximize the effectiveness of the campaign, designing details so that promotional activities look as authentic as possible. This involved creating social media accounts on X (formerly Twitter) and LinkedIn to promote the game over several months, using AI-generated imagery to boost credibility. Lazarus has successfully integrated generative artificial intelligence into its operations, and Kaspersky experts predict that attackers will devise even more sophisticated attacks using this technology.
The attackers also tried to recruit cryptocurrency influencers for further promotion, using their social media presence to not only distribute the threat but also directly target their crypto accounts.
A rogue cryptogame website that exploited a zero-day vulnerability to install spyware
“Although we have seen APT actors seeking financial gain before, this campaign was unique. Attackers have gone beyond typical tactics by using a fully functional game as cover to exploit a Google Chrome zero-day vulnerability and infect targeted systems. With notorious actors like Lazarus, even seemingly innocuous actions, such as opening a link on a social network or in an email, can lead to a complete compromise of a personal computer or an entire corporate network. The considerable effort put into this campaign suggests that they had ambitious plans, and the actual impact could be much wider with a potential impact on users and businesses around the world.” said Boris Larin, chief security expert at Kaspersky’s GReAT team.
Kaspersky experts discovered a legitimate game that was probably a prototype for the attacker’s version. Soon after the attackers launched a campaign to promote their game, the real developers of the game they claimed that $20,000 in cryptocurrency was stolen from their wallet. The logo and design of the fake game largely follow the original, differing only in the placement of the logo and visual quality. Given these similarities and code overlaps, Kaspersky experts emphasize that Lazarus members went to great lengths to lend credibility to their attack. They created a fake game using stolen source code, replacing the logos and all references to the legitimate game to enhance the illusion of authenticity in their near-identical version.
Details of the malicious campaign were presented at the SAS conference, the Security Analyst Summit in Bali, and now the full report is available at Securelist.com.
About the Global Research and Analysis Team
Founded in 2008, the Global Research and Analysis Team (GReAT) works at the heart of Kaspersky, uncovering APTs, cyber espionage campaigns, massive malware, ransomware, and underground cybercrime trends around the world. Today, the GReAT team consists of 40+ experts working all over the world – in Europe, Russia, Latin America, Asia, the Middle East. Talented security professionals enable the company to be a leader in anti-malware research and innovation, bringing unmatched expertise, passion and curiosity to cyber threat detection and analysis.
Cover photo: A rogue cryptogame website that exploited a zero-day vulnerability to install spyware
(1) SAS – Security Analyst Summit, Summit of security analysts
Sign up for the Advertiser Serbia Daily Newsletter
Source: www.advertiser-serbia.com
