Notorious cybercrime gang Lazarus is targeting cryptocurrency users with a “stolen” computer game to attract potential victims.
For those unfamiliar with Lazarus, it is a North Korean state-sponsored hacker collective known for attacking cryptocurrency companies and users, and has been responsible for some of the largest crypto heists in history , with the money reportedly going to the country’s government and weapons program.
Cybersecurity researchers at Kaspersky recently discovered a new campaign that uses a fake game to lure people to a website. Lazarus uses the website to exploit two vulnerabilities in the Chrome browser and ultimately steal sensitive data from the device.
Cookies, tokens and more
Kaspersky explained that the crooks used a DeFi (decentralized finance) game known as DeFiTankLand, and simply renamed it DeTankZone. Users who visit the imitated site and attempt to download the game are presented with a defunct product that does not function beyond the login/registration screen. However, while visiting the website, a hidden script (index.tsx) will trigger an exploit for a type confusion vulnerability tracked as CVE-2024-4947.
This vulnerability was discovered in V8, Chrome’s JavaScript engine. When exploited, it corrupts and overwrites the browser’s memory, giving the crooks access to the address space of the Chrome process. This in turn allows them to obtain cookies, authentication tokens, browsing history and saved passwords.
Because Chrome’s V8 is in a sandbox and JavaScript execution is isolated from the rest of the system, Lazarus used another remote code execution vulnerability, Kaspersky said.
The researchers discovered the flaw in mid-May 2024, and Google released a fix two weeks later, on May 25. Cryptocurrency enthusiasts who want to stay safe from Lazarus should at least update their Chrome browser to version 125.0.6422.60/.61. . Lazarus has been running this campaign since February, it was decided.
Via BleepingComputer