North Korea’s notorious Lazarus Group is utilizing a well-designed faux recreation web site, a now-patched Chrome zero-day bug, skilled LinkedIn accounts, AI-generated pictures, and different methods to attempt to steal from cryptocurrency customers worldwide.
The group seems to have launched the flowery marketing campaign in February and has since used a number of accounts on X and tricked influential figures within the cryptocurrency area to advertise their malware-infected crypto recreation website.
Elaborate Marketing campaign
“Through the years, we’ve got uncovered many [Lazarus] assaults on the cryptocurrency business, and one factor is for certain: these assaults are usually not going away,” mentioned researchers at Kaspersky, after discovering the most recent marketing campaign whereas investigating a current malware an infection. “Lazarus has already efficiently began utilizing generative AI, and we predict that they may provide you with much more elaborate assaults utilizing it,” the safety vendor famous.
The state-sponsored Lazarus group might not fairly be a recognizable identify but, however it’s simply among the many most prolific and harmful cyber menace actors in operation. Since making headlines with an assault on Sony Footage again in 2014, Lazarus — and subgroups similar to Andariel and Bluenoroff — have figured in numerous infamous safety incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Financial institution of Bangladesh, and makes an attempt to steal COVID-vaccine-related secrets and techniques from main pharmaceutical corporations throughout the peak of the pandemic.
Analysts imagine that most of the group’s financially motivated assaults, together with these involving ransomware, card-skimming, and cryptocurrency customers, are actually makes an attempt to generate income for the money-strapped North Korean authorities’s missile program.
Within the newest marketing campaign the group seems to have refined among the social engineering methods employed in previous campaigns. Central to the brand new rip-off is detankzone dot-com, a professionally designed product web page that invitations guests to obtain an NFT-based multiplayer on-line tank recreation. Kaspersky researchers discovered the sport to be properly designed and useful, however solely as a result of Lazarus actors had stolen the supply code of a authentic recreation to construct it.
A Chrome Zero-Day and a Second Bug
Kaspersky discovered the web site to include exploit code for 2 Chrome vulnerabilities. One in all them, tracked as CVE-2024-4947, was a beforehand unknown zero-day bug in Chrome’s V8 browser engine. It gave the attackers a strategy to execute arbitrary code inside a browser sandbox through a specifically crafted HTML web page. Google addressed the vulnerability in Might after Kaspersky reported the flaw to the corporate.
The opposite Chrome vulnerability that Kaspersky noticed within the newest Lazarus Group exploit is that it doesn’t seem to have a proper identifier. It gave the attackers a strategy to escape the Chrome V8 sandbox fully and acquire full entry to the system. The menace actor used that entry to deploy shellcode for accumulating data on the compromised system earlier than deciding whether or not to deploy additional malicious payloads on the compromised system, together with a backdoor known as Manuscrypt.
What makes the marketing campaign noteworthy is the hassle that Lazarus Group actors seem to have put into its social engineering angle. “They centered on constructing a way of belief to maximise the marketing campaign’s effectiveness, designing particulars to make the promotional actions seem as real as doable,” Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used a number of faux accounts to advertise their website through X and LinkedIn alongside AI-generated content material and pictures to create an phantasm of authenticity round their faux recreation website.
“The attackers additionally tried to interact cryptocurrency influencers for additional promotion, leveraging their social media presence not solely to distribute the menace but additionally to focus on their crypto accounts instantly,” Larin and Berdnikov wrote.
