North Korean hackers use fake game to hack Google Chrome security flaw

Hacker silhouette working on a laptop with North Korean flag on the background

(Image credit: Getty Images)

The notorious Lazarus cybercrime gang has been found targeting cryptocurrency users with a “stolen” computer game to attract potential victims.

For those unfamiliar with Lazarus, it’s a North Korean state-sponsored hacking collective known for targeting cryptocurrency companies and users, and has been responsible for some of the biggest crypto heists in history, with the money allegedly going into the country’s government and weapons program.

Cybersecurity researchers from Kaspersky recently found a new campaign that uses a fake game to lure people to a website. Lazarus uses the website to exploit two vulnerabilities in the Chrome browser, and ultimately steal sensitive data from the device.

Cookies, tokens, and more

Kaspersky explained the crooks used a DeFi (decentralized finance) game known as DeFiTankLand, and simply rebranded it into DeTankZone. Users who visit the impersonated site and try to download the game will get a defunct product that doesn’t work past the login/registration screen. However, while visiting the website, a hidden script (index.tsx) will trigger an exploit for a type confusion vulnerability tracked as CVE-2024-4947.

This vulnerability was discovered in V8, Chrome’s JavaScript engine. When exploited, it corrupts the browser’s memory, and overwrites it, granting the crooks access to the address space of Chrome’s process. That, in turn, allows them to grab cookies, authentication tokens, browsing history, and saved passwords.

Since Chrome’s V8 is in a sandbox, and JavaScript execution is isolated from the rest of the system, Lazarus used a different vulnerability for remote code execution, Kaspersky said.

The researchers spotted the flaw in mid-May 2024, and Google came back with a fix two weeks later, on May 25. Cryptocurrency lovers who want to remain secure from Lazarus should bring their Chrome browsers at least to version 125.0.6422.60/.61. Lazarus has been operating this campaign since February, it was concluded.

Via BleepingComputer

More from TechRadar Pro

Windows and Linux servers turned into crypto miners
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.