Lazarus APT Group Launches Sophisticated Cyberattack on Cryptocurrency Investors via Fake Cryptogame
Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a sophisticated cyberattack by the notorious Lazarus Advanced Persistent Threat (APT) group, targeting cryptocurrency investors globally. The attackers utilized a fake cryptogame website, exploiting a zero-day vulnerability in Google Chrome to install spyware and steal digital wallet credentials. These findings were presented at the 2024 Security Analyst Summit in Bali.
In May 2024, while analyzing incidents through Kaspersky Security Network telemetry, experts detected an attack using Manuscrypt malware—an infamous tool used by Lazarus since 2013. The attack was part of a highly sophisticated campaign that employed social engineering techniques and generative AI to target cryptocurrency investors.
Lazarus, known for its advanced attacks on cryptocurrency platforms, exploited two vulnerabilities, including a previously unknown type confusion bug in V8, Google’s JavaScript and WebAssembly engine. After Kaspersky reported this zero-day vulnerability, it was fixed as CVE-2024-4947. This flaw allowed attackers to execute arbitrary code and bypass security features. Additionally, they exploited a second vulnerability to bypass Google Chrome’s V8 sandbox protection.
The attackers designed a fake game website, inviting users to compete globally with NFT tanks, and used AI-generated images and social media platforms like X (formerly Twitter) and LinkedIn to build trust and promote the game over several months. Lazarus even engaged cryptocurrency influencers to further distribute the threat and target their crypto accounts.
“While we’ve seen APT actors pursue financial gain before, this campaign was unique,” commented Boris Larin, Principal Security Expert at Kaspersky’s GReAT. “The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect systems.”
Kaspersky’s analysis revealed that Lazarus had created a near-identical version of an existing game, using stolen source code to enhance the campaign’s credibility. The fake game closely mirrored the original, differing only in logo placement and visual quality.
Details of this malicious campaign, now available on Securelist.com, demonstrate the group’s evolving use of generative AI in attacks, with experts predicting even more sophisticated operations in the future.