Lazarus Hackers Exploit Chrome Zero-Day Vulnerability Using Fake NFT Game
2 min readCybersecurity firm Kaspersky has discovered a sophisticated cryptocurrency-targeting malware campaign led by the North Korean hacking group Lazarus.
The campaign, disclosed on Wednesday, involved the Lazarus group exploiting a zero-day vulnerability in Google Chrome using a fake blockchain-based game. The hack also installed spyware to steal wallet credentials.
The discovery of this attack, confirmed by Kaspersky’s Global Research and Analysis team in May 2024, was announced at the 2024 Security Analyst Summit in Bali.
Our analysis revealed that this malicious campaign used social engineering techniques and generative AI to target cryptocurrency investors.
“The hackers went beyond standard tactics by exploiting a Google Chrome zero-day and using a fully functional game as a cover to infect target systems,” said Boris Larin, senior security expert at Kaspersky.
“For notorious hackers like Lazarus, even something as innocuous as clicking on a link on a social network or in an email can completely compromise a personal computer or an entire corporate network.”
Larin added that the actual impact of this campaign could be much greater, reaching users and businesses around the world.
Kaspersky: Hackers used fake gaming websites to exploit vulnerabilities
According to a team of cybersecurity experts, the Lazarus group exploited two vulnerabilities, including an unknown bug in Google’s open source V8 JavaScript and WebAssembly engine. Google later fixed the vulnerabilities, as reported by Kaspersky.
“This allows hackers to execute arbitrary code, bypass security features, and perform a variety of malicious activities,” the study found.
This fake blockchain-based game invited users to compete with NFT tanks from around the world. The infamous group designed social media and LinkedIn promotions to make it look real and promoted the game. They also created AI-generated images to increase credibility.
Hackers also attempted to recruit cryptocurrency influencers to promote the campaign.
Shortly after the hackers released the game on social media, the actual game developer claimed that $20,000 in cryptocurrency had been transferred from his wallet.
Experts claimed that the fake game accurately reflected the logo and visual quality of the original. As a result, Lazarus hackers went to great lengths to lend credibility to their attacks.
Hackers also created fake NFT games using stolen source code, with all references to the original version.
