Lazarus Hackers Exploit Zero-Day Vulnerability in Chrome Using Fake NFT Games

Cybersecurity giant Kaspersky has uncovered a highly sophisticated crypto-targeted malicious campaign, led by the North Korean threat actor group Lazarus.

Unveiled on Wednesday, the Lazarus Group exploited a zero-day vulnerability in Google Chrome using a fake blockchain-based game. The exploit installed spyware to steal wallet credentials, the findings noted.

The attack’s findings, identified by Kaspersky’s Global Research and Analysis Team in May 2024, were presented at the Security Analyst Summit 2024 in Bali.

The analysis further revealed that the malicious campaign involved social engineering techniques and generative AI to target cryptocurrency investors.

“The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems,” Boris Larin, Principal Security Expert at Kaspersky noted.

“With notorious actors like Lazarus, even seemingly innocuous actions—such as clicking a link on a social network or in an email—can result in the complete compromise of a personal computer or an entire corporate network.”

The actual impact of the campaign could be much larger, affecting users and businesses worldwide, Larin added.

Attackers Exploited Vulnerability Using Fake Game Website: Kaspersky

Per the cybersecurity expert team, the Lazarus Group exploited two vulnerabilities. This includes an unknown bug in V8 JavaScript on Google’s open-source and WebAssembly engine. Google later fixed the vulnerability following Kaspersky’s reporting.

“It allowed attackers to execute arbitrary code, bypass security features, and conduct various malicious activities,” the findings revealed.

The fake blockchain-based game invited users to compete globally with NFT tanks. The notorious group designed social media and LinkedIn promotional activities to appear genuine and promote the game. They also created AI-generated images to enhance credibility.

Additionally, the attackers also tried to engage crypto influencers for promotion.

Shortly after the attackers launched the game on social media, the real game developers claimed that US$20,000 in cryptocurrency had been transferred from their wallet.

The experts claimed that the fake game exactly mirrored the logo and visual quality of the original. As a result, the Lazarus hackers went to an extent to lend credibility to their attack.

Further, the attackers created the fake NFT game using stolen source code using all the references of the original version.