North Korean hacking collective Lazarus Group has sought to exfiltrate cryptocurrency investors’ assets in attacks involving a phony decentralized finance game that exploited the now-addressed Google Chrome zero-day type confusion flaw, tracked as CVE-2024-4947, according to BleepingComputer.
Identification of a Manscrypt backdoor malware compromise in May prompted the discovery of early exploitation of the Chrome vulnerability through the “detankzone[.]com” website for the fake NFT-based multiplayer online battle arena game DeTankZone, which contains source code stolen from the DeFiTankLand game and was advertised by Lazarus across social media platforms, LinkedIn accounts, and spear-phishing emails, a report from Kaspersky revealed. Attackers included a hidden script within the website that leveraged CVE-2024-4947 to corrupt Chrome’s memory, enabling the compromise of browser history, cookies, passwords, and authentication tokens, before proceeding with the abuse of another Chrome V8 issue to enable remote code execution of a shellcode, which facilitated the exfiltration of OS, BIOS, and CPU data, as well as other reconnaissance efforts, researchers said.