North Korean Lazarus Group Exploits Chrome to Target Crypto Users

Highlights:

• Lazarus Group used a Chrome flaw to steal crypto, showing new levels of hacking expertise.
• North Korean hackers lured victims with a fake game, exploiting a Chrome zero-day vulnerability.
• Lazarus Group uses a Chinese trader to launder millions in stolen cryptocurrency.

North Korea’s Lazarus Group launched another cyberattack by using a fake blockchain game to exploit a zero-day vulnerability in Google’s Chrome browser. The attack, first spotted by Kaspersky Labs in May, allowed hackers to steal cryptocurrency wallet credentials. Google quickly addressed and fixed the flaw, but the damage had already been done. 

The vulnerability, identified as CVE-2024-4947, was in Chrome’s V8 JavaScript engine. Hackers exploited this flaw to execute malicious code. Lazarus exploited this zero-day bug to slip past defenses and gather sensitive information. Google fixed the issue within 12 days of Kaspersky’s report.

North Korean hackers, the Lazarus group, have exploited a Chrome zero-day vulnerability through a fake blockchain game, DeTankZone, to steal crypto wallet credentials. Just visiting the site can lead to infection! Stay vigilant and avoid unknown links. #CyberSecurity… pic.twitter.com/0GGE5uufHH

— CryptoniteUae (@CryptoniteUae) October 24, 2024

Kaspersky also detected another unknown vulnerability. This flaw lets attackers bypass Chrome’s security and gain full system access. Lazarus used this security gap to deploy additional malware on compromised systems. The group used their malware, Manuscrypt, to collect data before launching other malicious actions.

Fake Blockchain Game as a Trap

To carry out their plan, Lazarus Group created a fake play-to-earn game. The group called the game DeTankZone or DeTankWar, simulating a real-life blockchain-based game. The group posted the game across social media platforms like LinkedIn and X.

Users were infected simply by visiting the game’s website. This technique showed how easily Lazarus could target unsuspecting victims. The group carefully modeled the game after an existing platform called DeFiTankLand, fooling many into thinking it was a genuine project.

Microsoft Security had already flagged the game in February. However, when Kaspersky investigated, the hackers had removed the exploit code from the site. Still, Kaspersky reported the vulnerability to Google. The issue was fixed before the hackers could use it again.

Crypto Laundering Operation Linked to Lazarus

Lazarus has also been using a complex crypto-laundering operation. ZachXBT, a blockchain expert, uncovered a link between the group and Yicong Wang. The trader was a key player used to launder millions of dollars of stolen cryptocurrency.

1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022. pic.twitter.com/ARcwC7r3Xr

— ZachXBT (@zachxbt) October 23, 2024

Wang has been using pseudonyms such as Seawang and BestRhea977. He used the identities to convert stolen crypto into cash. The funds were moved using bank transfers, making it difficult to trace the transactions. 

Wang’s operations have further laundered $17 million from over 25 hack-associated cases involving Lazarus since 2022. In November 2023, 374,000 USDT from the address was frozen by Tether.. Despite the restriction, Wang found ways to move some funds through Tornado Cash. 

Sophisticated Social Engineering Techniques

The attack was mainly a social engineering campaign. Lazarus created a fake game with a professional-looking website. To promote it, they created several fake accounts on X and LinkedIn. They made the project look legitimate to the users by using AI-generated images and content. 

Lazarus Group uses advanced malware with well-crafted social engineering. Their latest campaign proves that they are not just relying on technical exploits. Instead, they are targeting their victims, using social connections and trust. This makes them one of the most dangerous cyber threat actors today.