DeTankZone, Lazarus’ fake DeFi game that exploited a Chrome zero-day

November 1, 2024
DeTankZone DeFi Cryptocurrency Chrome Flaw Cyberattack

The notorious North Korea-backed Lazarus group used a fake decentralised finance (DeFi) game called DeTankZone to target crypto enthusiasts. Reports revealed that this APT group exploited CVE-2024-4947, a Google Chrome zero-day.

The researchers noticed that the incident started earlier this year after they detected a new strain of the Manuscrypt backdoor software. The additional assessment also revealed that the backdoor operators exploited Google Chrome before spotting the new Manuscrypt payload, which came from the detankzone[.]com website.

 

Lazarus doubled down on introducing the DeTankZone game to infect numerous cryptocurrency users.

 

This state-sponsored threat group has extensively advertised DeTankZone through various social media platforms, spear-phishing emails, and LinkedIn profiles. The website is an NFT-based multiplayer online battle arena (MOBA) game with tank-centric gameplay.

However, the researchers dissected the game and discovered that the attackers used the stolen source code from a legitimate game called DeFiTankLand to create the malicious game.

The 400MB ZIP download of the game loads at initial installation, but it only progresses past the login/registration screen because the game’s backend infrastructure is inaccessible.

Still, the Google Chrome vulnerability occurs on the detankzone website, which contains a hidden script to trigger an exploit for CVE-2024-4947. This vulnerability is a type of misunderstanding in V8, Chrome’s JavaScript engine.

The APT group’s exploit script altered Chrome’s memory by using the app’s JIT compiler, Maglev, to overwrite sections, granting them access to the entire address space of Chrome. Therefore, the attackers will have access to cookies, authentication tokens, saved passwords, and browser history.

Chrome’s V8 sandbox separates JavaScript execution from the rest of the system. Therefore, Lazarus can exploit a second hole in V8 to bypass it and perform RCE, executing shellcode in system memory.

The shellcode functions as a reconnaissance tool, assisting Lazarus in determining whether the compromised device is worthy of further hacking. The toolkit collects CPU, BIOS, and OS information, runs anti-VM and anti-debugging checks, and then transmits the data to the attacker-controlled server.

These details are the only information gathered throughout the research about the malicious game. Cryptocurrency enthusiasts who also enjoy gaming should be wary of these threats as they are the current targets of this new Lazarus campaign.

About the author

Leave a Reply