The Lazarus Group’s Exploitation of CVE-2024-4947: A Deep Dive into Cyber Threats
In early 2024, the notorious North Korean hacking group known as the Lazarus Group executed a sophisticated cyberattack leveraging a critical zero-day vulnerability in Google Chrome, identified as CVE-2024-4947. This vulnerability was exploited in a deceptive campaign that involved a counterfeit decentralized finance (DeFi) game, targeting individuals within the cryptocurrency sector. Although the attack was uncovered in May 2024, it had been operational since February, underscoring the persistent threat posed by advanced cyber actors.
Understanding CVE-2024-4947
CVE-2024-4947, rated with a CVSS score of 8.8, is a critical vulnerability residing in the V8 JavaScript engine of Google Chrome. It is classified as a type confusion vulnerability within the browser’s Just-In-Time (JIT) compiler, known as Maglev. This flaw could potentially allow attackers to execute arbitrary code remotely, leading to severe security breaches.
The exploitation of CVE-2024-4947 enables attackers to gain access to sensitive information, including cookies, authentication tokens, browsing history, and saved passwords. In more advanced scenarios, attackers can bypass Chrome’s V8 sandbox using additional exploits, thereby gaining greater control over the compromised system. Google addressed this vulnerability in its Chrome update version 125.0.6422.60/.61 in May 2024, but the incident serves as a stark reminder of the ongoing risks associated with unpatched software.
The DeTankZone Campaign: How Lazarus Exploited CVE-2024-4947
The Lazarus Group’s exploitation of CVE-2024-4947 was executed through a deceptive campaign targeting cryptocurrency enthusiasts. This operation revolved around a fraudulent DeFi game, which the group branded as “DeTankZone.” The campaign’s discovery was prompted by the detection of Manuscrypt malware on a victim’s machine in Russia, a backdoor malware previously associated with Lazarus. This finding led researchers to investigate further, revealing the broader malicious campaign.
Campaign Overview
Lazarus orchestrated their attack via a malicious website, detankzone[.]com, which promoted the fake game. Visitors to the site were unknowingly exposed to harmful code designed to exploit the Chrome zero-day vulnerability. The game itself was created using stolen source code from a legitimate project, DeFiTankLand, which Lazarus rebranded to lure unsuspecting victims.
Upon visiting the site, users triggered a hidden script that exploited the Chrome vulnerability, allowing Lazarus to execute arbitrary code. Remarkably, simply visiting the website was sufficient for the exploit to take place, with the game serving merely as a distraction. To maximize their reach, the hackers promoted the site through advertisements on social media, spear-phishing emails, and direct messages on platforms like LinkedIn.
By the time security researchers uncovered the campaign, the backend infrastructure supporting the game had already been dismantled, complicating efforts to trace the full extent of the attack.
Who is the Lazarus Group?
The Lazarus Group is a state-sponsored hacking collective from North Korea, infamous for executing sophisticated cyber campaigns that frequently target financial institutions, including cryptocurrency exchanges. Their operations are characterized by advanced social engineering tactics, the exploitation of zero-day vulnerabilities, and the deployment of sophisticated malware.
In the DeTankZone campaign, Lazarus combined these tactics with the exploitation of CVE-2024-4947 to facilitate cryptocurrency theft. Their history of high-profile cyberattacks and their ability to adapt to new technologies make them a formidable threat in the cyber landscape.
For those interested in learning more about the Lazarus Group’s previous campaigns, techniques, and targets, SOCRadar offers a comprehensive Dark Web Profile that provides detailed insights into this notorious hacking collective.
Recent Chrome Security Updates
In light of the CVE-2024-4947 incident, it is crucial to note that Google has recently patched additional high-severity vulnerabilities in Chrome. These new flaws, identified as CVE-2024-10229, CVE-2024-10230, and CVE-2024-10231, were discovered in the browser’s Extensions and V8 JavaScript engine. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, gain unauthorized access to user data, or compromise systems through malicious browser extensions.
Google addressed these vulnerabilities with the release of Chrome versions 130.0.6723.69/.70 for Windows, Mac, and Linux. Users are strongly encouraged to update their browsers to mitigate these risks. For more detailed information, refer to the official Chrome advisory.
Indicators of Compromise (IOCs)
To assist organizations in identifying potential threats, here are the Indicators of Compromise (IOCs) related to Lazarus’ exploitation of CVE-2024-4947:
Exploit Hashes:
- MD5: B2DC7AEC2C6D2FFA28219AC288E4750C
- SHA1: E5DA4AB6366C5690DFD1BB386C7FE0C78F6ED54F
- SHA256: 7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A
Game Hashes:
- MD5: 8312E556C4EEC999204368D69BA91BF4
- SHA1: 7F28AD5EE9966410B15CA85B7FACB70088A17C5F
- SHA256: 59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC
Domains:
- detankzone[.]com
- ccwaterfall[.]com
Conclusion
The exploitation of CVE-2024-4947 by the Lazarus Group serves as a stark reminder of the evolving landscape of cyber threats. As cyber actors continue to develop sophisticated methods to exploit vulnerabilities, it is imperative for individuals and organizations to remain vigilant and proactive in their cybersecurity measures. Regularly updating software, employing robust security practices, and staying informed about emerging threats are essential steps in safeguarding against potential attacks.
For those seeking to enhance their cybersecurity posture, SOCRadar’s Threat Actor Intelligence and Vulnerability Intelligence modules provide valuable insights and real-time alerts, helping organizations identify and prioritize vulnerabilities before they can be exploited. By understanding the tactics, techniques, and procedures used by threat actors, organizations can better defend themselves against the ever-present risks in the digital landscape.