Vulnerability in Chrome browser exploited to steal cryptocurrency

Vulnerability in Chrome browser exploited to steal cryptocurrency

SHARE IT

28 October 2024

Kaspersky's Global Research and Analysis Team (GReAT) has uncovered a complex malicious campaign by the Lazarus Advanced Persistent Threat (APT) group that targeted cryptocurrency investors globally. The attackers created a fake crypto-gaming website, exploiting a zero-day vulnerability in Google Chrome to install spyware and steal wallet data. These findings were presented at the Security Analyst Summit 2024, held in Bali.

In May 2024, Kaspersky experts, analyzing incidents from Kaspersky Security Network telemetry, identified an attack that leveraged the Manuscrypt malware. Manuscrypt, which has been used by the Lazarus team since 2013, has been detected by Kaspersky's GReAT team in over 50 different campaigns targeting a variety of industries. Upon further analysis, a complex malicious campaign was uncovered that relied heavily on social engineering techniques and generative AI, targeting cryptocurrency investors.

The Lazarus group is renowned for its highly advanced attacks on cryptocurrency platforms and has a history of exploiting zero-day vulnerabilities. This new campaign followed the same pattern: Kaspersky researchers discovered that the attackers exploited two vulnerabilities, including a previously unknown type confusion bug in V8 and Google's open-source JavaScript and WebAssembly engines. This vulnerability was fixed as CVE-2024-4947 after Kaspersky reported it to Google. However, it allowed attackers to execute arbitrary code, bypass security features and conduct various malicious activities. A different vulnerability was used to bypass V8's sandbox protection in Google Chrome.

The attackers exploited this vulnerability through a well-constructed fake gambling website, inviting users to participate in competitions with NFT tanks worldwide. They focused on building trust to maximize the effectiveness of the campaign, creating detailed elements that made the promotions seem as plausible as possible. This included creating social media accounts on X (formerly Twitter) and LinkedIn to promote the game, over the course of several months. They used images created through artificial intelligence to enhance the credibility of the site. The Lazarus team has successfully integrated artificial intelligence into its operations, and Kaspersky experts predict even more sophisticated attacks from the group that will leverage such technologies.

The attackers also tried to enlist crypto influencers to boost the campaign, taking advantage of their social media presence not only to spread the threat but also to directly target their cryptocurrency accounts.

Kaspersky experts discovered a legitimate game that appears to have been the template for the attackers' version. Shortly after the launch of their game's promotional campaign, the real developers of the game said that $20,000 in cryptocurrency had been transferred from their wallets. The logo and design of the fake game were very similar to the authentic ones, differing only in the logo location and image quality. Given these similarities and identities in the code, Kaspersky experts stress that Lazarus members made a great effort to appear trustworthy. They created a fake game using stolen source code, substituting logos and all references to the legitimate game to enhance the illusion of authenticity in their nearly identical version.

View them all