Analysis Summary

The North Korean threat group Lazarus used a phony decentralized finance (DeFi) game to target Bitcoin users and exploit a Google Chrome zero-day known as CVE-2024-4947.

Researchers uncovered the attacks on May 13, 2024, and notified Google of the Chrome zero-day vulnerability. On May 25th, Google released Chrome version 125.0.6422.60/.61, which fixed CVE-2024-4947. The campaign began in February 2024 and was uncovered by researchers after they found a new version of the "Manuscrypt" backdoor software on a Russian customer's computer.

The researchers were interested in the threat actor's unusual targeting breadth, which encompassed random people, even though Lazarus had been utilizing Manuscrypt for years. Additional telemetry revealed that the "detankzone[.]com" website was the source of the Google Chrome exploit, which was discovered before the new Manuscrypt payload was discovered. This website advertised DeTankZone, an NFT-based multiplayer online battle arena (MOBA) game with a tank theme.

Lazarus extensively advertised the game via spear-phishing emails, premium LinkedIn profiles used in direct attacks on high-value targets, and social media marketing on sites like X. Researchers found that the game was built on stolen source code from a genuine game called DeFiTankLand, which Lazarus had merely repackaged for their use, after downloading and reserve engineering it.

The 400MB ZIP download starts up as planned, but because the game's backend infrastructure was shut down, it does not function past the login/registration screen. Moreover, it didn't do anything harmful to the target's system. The Google Chrome attack takes place on the detankzone[.]com website, which has a hidden script (index.tsx) that has been developed to exploit a type confusion in Chrome's Javascript engine (CVE-2024-4947).

By using Chrome's JIT compiler, Maglev, Lazarus' exploit script altered the program's memory by erasing parts of it that finally allowed them to access the whole address space of the Chrome process. At this point, the attackers had access to browsing history, saved passwords, authentication tokens, and cookies.

To get around Chrome's V8 sandbox, which separates JavaScript execution from the rest of the system, Lazarus exploited a second vulnerability in V8 to execute shellcode in the system's memory. In March 2024, this issue (330404819) was reported and resolved. It's unclear if the attackers found it first and exploited it as a 0-day vulnerability or if it was first exploited as a 1-day vulnerability due to a bug collision.

As a reconnaissance tool, the shellcode Lazarus employed aids the attackers in assessing whether the compromised system is worth enough to carry out the operation. It gathered information on the CPU, BIOS, and OS, ran anti-VM and anti-debugging tests, and transmitted the data to the command-and-control (C2) server of Lazarus.

Since Lazarus had already taken their exploit down from the fake site by the time they conducted their investigation, the researchers were unable to investigate the next steps of the attack. However, stealing cryptocurrency was probably the attack's ultimate objective given the individuals the harmful campaign targeted and their prior behavior.

Impact

• Unauthorized Access
• Exposure of Sensitive Data
• Code Execution
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• detankzone.com
• ccwaterfall.com

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.