Lazarus APT Strikes with Zero-Day Exploit, Targeting DeFi Game Investors

Key Points:

1. North Korea-linked Lazarus APT group has launched a new attack, targeting investors via a fake DeFi game.
2. A zero-day vulnerability in Google Chrome’s JavaScript engine was exploited to gain control of victims’ systems.
3. The malicious website posed as an NFT-based gaming platform, tricking users into downloading malware.
4. Security experts warn of rising threats to blockchain gaming and DeFi platforms from sophisticated attackers.

Lazarus Group Targets DeFi Game Investors with New Zero-Day Attack

Hard Work and Zero-days: Lazarus' New Exploits

Sometimes, in the course of investigating an APT attack, our researchers have to write server code to mimic the command server of the malware being analyzed. But until this year, it had never been a server code for… a video game.… pic.twitter.com/bkKIf8g3Ud

— Kaspersky (@kaspersky) October 23, 2024

The notorious Lazarus Advanced Persistent Threat (APT) group, affiliated with North Korea, has resurfaced with a sophisticated new campaign. Known for its past attacks on financial institutions, cryptocurrency platforms, and government entities, the group has now expanded its focus to exploit investors through decentralized finance (DeFi) games. This latest campaign involves a zero-day exploit in Google Chrome, making it one of the most concerning cybersecurity incidents in recent months.

Lazarus has a long history of using its signature malware, Manuscript, in global cyberattacks since 2013. Over the years, they have targeted various sectors, but their recent focus on decentralized platforms and cryptocurrency represents an evolving strategy to capitalize on the booming digital finance space. The exploit was first detected on May 13, 2024, by Kaspersky’s Total Security product, with the first known victim identified as an individual in Russia.

The Zero-Day Exploit in Action

The attack leveraged a fake website, detankzone[.]com, designed to resemble a legitimate page for an NFT-based multiplayer online battle arena (MOBA) tank game. Visitors were encouraged to download a demo version of the game, but hidden within the website’s code was a script that triggered the zero-day vulnerability. By merely visiting the page, users unknowingly allowed the attackers to take full control of their computer systems.

Kaspersky’s research revealed that the Lazarus group exploited a previously undiscovered vulnerability, now identified as CVE-2024-4947, in Google Chrome’s JavaScript engine, V8. This engine, which handles script execution in Chrome, had recently been updated with a new optimizing compiler called Maglev. Lazarus took advantage of a critical flaw in this compiler to bypass Chrome’s security protections and manipulate memory processes.

This zero-day exploit allowed the attackers to read and write Chrome process memory, enabling them to launch full-scale attacks on affected systems. Kaspersky promptly reported the vulnerability to Google, which issued a patch on May 15, 2024, protecting millions of Chrome users from the ongoing threat.

Despite Google’s swift action, the full extent of the attack wasn’t immediately clear. Microsoft released a report on May 28, attributing the attack to a newly identified North Korean group, Moonstone Sleet. However, Microsoft failed to acknowledge the role of the zero-day exploit, downplaying the severity of the breach. Kaspersky’s subsequent report provided detailed insights into the vulnerability and how Lazarus had used a fake DeFi game to lure unsuspecting investors.

Implications for the Crypto Industry

The Lazarus group’s latest actions highlight the growing risks within the cryptocurrency and DeFi ecosystems. As blockchain gaming and decentralized platforms gain traction, they are becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. Lazarus’s use of advanced malware and highly targeted attacks points to an alarming trend for investors and operators in these industries.

DeFi platforms, which operate without intermediaries, are particularly vulnerable to these kinds of attacks. With the increasing popularity of NFTs and cryptocurrency-based gaming, threat actors are zeroing in on these platforms, aiming to steal sensitive data or manipulate transactions.

In light of this recent attack, security experts are urging users to exercise caution when interacting with online gaming or cryptocurrency platforms. As threat actors continue to evolve their strategies, vigilance is key to avoiding falling victim to such sophisticated exploits.

Staying Safe in the Face of New Threats

The Lazarus APT’s continued focus on exploiting zero-day vulnerabilities, combined with their ability to target cutting-edge financial platforms, signals a growing challenge for cybersecurity professionals. For users and investors in the cryptocurrency space, staying updated on security patches, avoiding suspicious websites, and maintaining strong cybersecurity practices are essential steps in mitigating the risks posed by these evolving threats.