In a high-profile security breach, Kaspersky’s Global Research and Analysis Team (GReAT) has exposed a sophisticated campaign by the Lazarus Advanced Persistent Threat (APT) group, notorious for its high-tech attacks on cryptocurrency platforms. This time, Lazarus targeted cryptocurrency investors globally through a meticulously crafted fake cryptogame website, which exploited a zero-day vulnerability in Google Chrome to install spyware and steal cryptocurrency wallet credentials. Kaspersky unveiled these findings during the Security Analyst Summit 2024 held in Bali, Indonesia.
The incident came to light in May 2024 when Kaspersky analysts, examining data within their Security Network telemetry, identified an attack using Manuscrypt malware — an established tool of the Lazarus group since 2013. Through extensive investigation, researchers found that Lazarus had designed a fake game website inviting users to play and compete with NFT-based tanks. By exploiting a type confusion bug in V8, Chrome’s JavaScript, and WebAssembly engine, attackers gained unauthorized access, allowing them to execute arbitrary code, bypass Chrome’s security features, and breach user wallets.
The vulnerability, reported to Google by Kaspersky, was subsequently patched as CVE-2024-4947. However, Lazarus also deployed an additional vulnerability to bypass Google Chrome’s V8 sandbox protection, further escalating the attack’s complexity. The operation marked a departure from Lazarus’ typical tactics, blending sophisticated social engineering with generative AI tools to enhance the campaign’s authenticity and reach.
To maximize their deception, the Lazarus group promoted the game extensively on social media platforms like X (formerly Twitter) and LinkedIn, creating profiles and AI-generated images that portrayed the game as legitimate. Kaspersky’s research team noted that Lazarus even attempted to recruit cryptocurrency influencers to boost the fake game’s visibility. These efforts were aimed not only at amplifying their campaign but also at targeting the influencers’ own crypto wallets directly.
“While we’ve seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems. With notorious actors like Lazarus, even seemingly innocuous actions — such as clicking a link on a social network or in an email — can result in the complete compromise of a personal computer or an entire corporate network. The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide,” according to Boris Larin, Principal Security Expert at Kaspersky’s GReAT.
In a startling development, Kaspersky’s experts discovered that the attackers had cloned a legitimate game prototype, altering only logo placements and minor design elements to create a nearly identical version. The campaign’s designers even replaced all original logos and references to maintain a sense of authenticity, while the real game developers reported that US$20,000 in cryptocurrency had been siphoned from their wallets.
These details are now available on Kaspersky’s Securelist.com, offering further insights into the Lazarus group’s expanding use of generative AI and social engineering in APT campaigns targeting cryptocurrency sectors. As generative AI continues to evolve, Kaspersky’s team warns of even more complex threats on the horizon, underscoring the need for heightened awareness among investors and crypto platform users.