Key Points:
- Lazarus Group used a fake NFT-based game to exploit a zero-day vulnerability in Google Chrome.
- The game, called DeTankZone, installed spyware that stole cryptocurrency wallet credentials.
- Kaspersky Labs identified the attack in May 2024, leading to a security patch from Google.
- North Korean hackers have stolen over $3 billion in crypto since 2017, showing ongoing interest in the sector.
Lazarus Group Exploits Chrome Vulnerability Through Fake NFT Game
The infamous North Korean Lazarus Group has launched another sophisticated cyberattack, this time using a fake blockchain-based game to exploit a vulnerability in Google Chrome. The group, notorious for targeting the cryptocurrency industry, developed and promoted the game to install spyware and steal users’ wallet credentials. Kaspersky Labs detected the exploit in May 2024 and reported it to Google, which swiftly addressed the issue with a security patch.
DeTankZone: The Fake Game Used in the Attack
The fraudulent game, named DeTankZone or DeTankWar, was a fully functional play-to-earn multiplayer online battle arena (MOBA) game. It featured non-fungible tokens (NFTs) representing tanks in global competitions. Lazarus Group promoted the game on social platforms like LinkedIn and X (formerly Twitter), drawing unsuspecting users into their scheme.
What made the attack particularly dangerous was that users could become infected simply by visiting the game’s website, even without downloading the game. Lazarus modeled their fake game on a legitimate DeFi platform called DeFiTankLand, making it harder for users to recognize the scam.
The malware used in this attack, known as Manuscrypt, has been a signature tool for Lazarus over the years. This time, however, they also leveraged a previously unknown vulnerability, classified as a “type confusion bug” in Google Chrome’s V8 JavaScript engine. This zero-day exploit allowed the hackers to gain unauthorized access to users’ systems and wallets.
Kaspersky’s principal security expert, Boris Larin, highlighted the significant effort Lazarus invested in this campaign, indicating its global reach and potential to impact both individuals and businesses worldwide.
A Quick Response from Google
Once Kaspersky discovered the attack in May, they immediately reported the vulnerability, labeled CVE-2024-XXXX, to Google. Within 12 days, Google released a patch to address the flaw, preventing further damage from the malicious website. However, Microsoft Security had noticed the fake game as early as February 2024, but by the time Kaspersky began analyzing the exploit, the hackers had already removed it from the site. Despite this, Kaspersky’s proactive reporting ensured the vulnerability was fixed before it could be exploited again.
This particular attack marks the seventh zero-day vulnerability found in Chrome in 2024, underlining the growing cybersecurity challenges for web browsers in the face of increasingly sophisticated hackers.
North Korea’s Deep Ties to Cryptocurrency Crimes
Lazarus Group has a well-documented history of targeting the cryptocurrency sector, with this latest attack being just one of many. Between 2020 and 2023, the group was responsible for laundering over $200 million in crypto from 25 different hacks, according to crypto crime researcher ZachXBT. Their most notorious exploit came in 2022 when they were linked to the massive $600 million attack on Ronin Bridge.
North Korean hackers, including the Lazarus Group, have stolen over $3 billion in cryptocurrency between 2017 and 2023, according to reports from U.S. cybersecurity firm Recorded Future. The funds from these attacks are often funneled into North Korea’s military and weapons development programs, highlighting the broader geopolitical implications of these cybercrimes.
Zero-day vulnerabilities, like the one exploited by Lazarus in this attack, pose a significant risk because they take software vendors by surprise, leaving no time to prepare defenses. In this case, Google acted quickly to mitigate the threat, but the incident underscores the need for constant vigilance from both users and cybersecurity firms.
Caution for Crypto Investors
As Lazarus continues to evolve its tactics, cryptocurrency investors must remain alert to potential threats, especially when interacting with online platforms that appear to offer enticing rewards like NFTs or blockchain-based games. The increasing sophistication of these campaigns shows how easily attackers can deceive users and drain their wallets.
