The notorious Lazarus cybercrime gang has been found targeting cryptocurrency users with a “stolen” computer game to attract potential victims.
For those unfamiliar with Lazarus, it’s a North Korean state-sponsored hacking collective known for targeting cryptocurrency companies and users, and has been responsible for some of the biggest crypto heists in history, with the money allegedly going into the country’s government and weapons program.
Cybersecurity researchers from Kaspersky recently found a new campaign that uses a fake game to lure people to a website. Lazarus uses the website to exploit two vulnerabilities in the Chrome browser, and ultimately steal sensitive data from the device.
Cookies, tokens, and more
Kaspersky explained the crooks used a DeFi (decentralized finance) game known as DeFiTankLand, and simply rebranded it into DeTankZone. Users who visit the impersonated site and try to download the game will get a defunct product that doesn’t work past the login/registration screen. However, while visiting the website, a hidden script (index.tsx) will trigger an exploit for a type confusion vulnerability tracked as CVE-2024-4947.
This vulnerability was discovered in V8, Chrome’s JavaScript engine. When exploited, it corrupts the browser’s memory, and overwrites it, granting the crooks access to the address space of Chrome’s process. That, in turn, allows them to grab cookies, authentication tokens, browsing history, and saved passwords.
Since Chrome’s V8 is in a sandbox, and JavaScript execution is isolated from the rest of the system, Lazarus used a different vulnerability for remote code execution, Kaspersky said.
The researchers spotted the flaw in mid-May 2024, and Google came back with a fix two weeks later, on May 25. Cryptocurrency lovers who want to remain secure from Lazarus should bring their Chrome browsers at least to version 125.0.6422.60/.61. Lazarus has been operating this campaign since February, it was concluded.
Via BleepingComputer