A recent cyber-attack carried out by the notorious Lazarus Group, specifically its BlueNoroff subgroup, has uncovered a new vulnerability in Google Chrome. This attack utilized a zero-day exploit to gain complete control over infected systems, showcasing the advanced tactics employed by this North Korean-backed threat actor.
The discovery of this campaign came to light when Kaspersky Total Security detected the presence of the Manuscrypt malware on a personal computer in Russia. Manuscrypt is a well-known tool used by Lazarus since 2013, featured in numerous campaigns targeting various sectors such as governments, financial institutions, and cryptocurrency platforms. What set this particular incident apart was the group’s rare direct targeting of individuals.
The zero-day exploit in Google Chrome that enabled this attack was found to be linked to a deceptive website called detankzone[.]com. This site masqueraded as a legitimate decentralized finance (DeFi) game platform, luring visitors in with promises of an NFT-based multiplayer online battle arena. Unbeknownst to users, accessing this site through Chrome triggered the exploit, allowing malicious code to take over the user’s system via the browser.
The exploit specifically targeted a newly introduced feature in Chrome’s V8 JavaScript engine, circumventing the browser’s security measures and granting remote control to the attackers. Fortunately, Kaspersky researchers promptly alerted Google to the vulnerability, leading to a patch being released within two days.
The key vulnerabilities exploited in this attack included CVE-2024-4947, a flaw in Chrome’s Maglev compiler that permitted the manipulation of critical memory structures, and a V8 Sandbox Bypass that allowed Lazarus to execute arbitrary code by bypassing Chrome’s memory protection features.
While Kaspersky followed responsible disclosure practices, a report by Microsoft initially overlooked the zero-day aspect of the attack. This prompted Kaspersky to provide additional information, stressing the urgency for users to update their browsers immediately to safeguard against such threats.
As Lazarus continues to evolve its tactics, incorporating social engineering, zero-day exploits, and legitimate-looking platforms, it is crucial for both organizations and individuals to stay vigilant. Keeping software up to date and being cautious of suspicious websites are essential steps in mitigating the risks posed by sophisticated threat actors like the Lazarus Group.
Image credit: Alberto Garcia Guillen / Shutterstock.com