The notorious Lazarus Group from North Korea has once again made headlines with their elaborate campaign targeting cryptocurrency users worldwide. The group has deployed a sophisticated scheme involving fake game websites, a Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other deceptive tactics to steal from unsuspecting victims.
According to researchers at Kaspersky, the Lazarus Group initiated this new campaign in February, utilizing multiple accounts on X and leveraging influential figures in the cryptocurrency space to promote their malware-infected crypto game site. The security vendor noted that Lazarus has increasingly utilized generative AI technology to enhance their attacks, with the expectation of even more elaborate schemes in the future.
While the Lazarus Group may not be a household name, they are considered among the most prolific and dangerous threat actors in the cyber realm. Since their infamous attack on Sony Pictures in 2014, Lazarus and its subgroups like Andariel and Bluenoroff have been involved in numerous high-profile security incidents, including the WannaCry ransomware outbreak, the $81 million heist at the Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets during the pandemic.
Analysts believe that many of Lazarus Group’s financially motivated attacks are aimed at generating revenue for the cash-strapped North Korean government’s missile program. In their latest campaign, the group has refined their social engineering tactics, launching detankzone.com, a fake product page offering an NFT-based multiplayer online tank game. The game, though well-designed, was created using stolen source code from a legitimate game.
Kaspersky researchers discovered that the fake game website contained exploit code for two Chrome vulnerabilities. One of them, a zero-day bug identified as CVE-2024-4947, allowed attackers to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google promptly addressed the vulnerability in May after being alerted by Kaspersky.
The second Chrome vulnerability observed in Lazarus Group’s exploit enabled the threat actors to escape the Chrome V8 sandbox entirely and gain full access to the system. This access was utilized to deploy malicious payloads, including a backdoor called Manuscrypt, for collecting information on compromised systems.
What sets this campaign apart is the level of effort put into the social engineering aspect by the Lazarus Group. By establishing trust and authenticity through fake accounts on X and LinkedIn, AI-generated content and images, and engaging cryptocurrency influencers for promotion, the threat actors sought to maximize the effectiveness of their scheme.
As Boris Larin and Vasily Berdnikov from Kaspersky highlighted, Lazarus Group’s strategy included targeting cryptocurrency influencers to not only distribute the threat but also directly access their crypto accounts. This level of manipulation and deception underscores the group’s growing sophistication and the evolving threat landscape posed by state-sponsored cyber actors like Lazarus.