According to ShibDaily, cybersecurity firm Kaspersky has uncovered a sophisticated cyberattack targeting the cryptocurrency sector, orchestrated by the North Korean Lazarus Group. Announced on Wednesday, the operation exploited a previously unknown vulnerability in Google Chrome through a counterfeit blockchain game. This flaw, identified as CVE-2024-4947, allowed the installation of spyware aimed at stealing wallet credentials. The attack was detected in May 2024 and involved a fake blockchain-based game used as a cover to install the malicious software.

Kaspersky's Global Research and Analysis Team presented their findings at the Security Analyst Summit in Bali, detailing how the Lazarus Group used a fake NFT-based tank game to execute the attack. The game’s website appeared professional, inviting users to compete globally, which added credibility to the scam. The attackers utilized a flaw in Chrome’s V8 JavaScript engine to gain control over targeted devices. Google has since patched this vulnerability. Boris Larin, Principal Security Expert at Kaspersky, noted that the attackers employed a fully functional game to exploit the Chrome zero-day vulnerability and infect systems. Simple actions like clicking on a link in an email or social media could compromise entire networks.

The fake blockchain game was designed to deliver malware, with the website's design closely mirroring that of a legitimate blockchain game, using stolen source code from the original developers. Campaigns on platforms such as LinkedIn and X (formerly Twitter) promoted the game to potential victims in the crypto sector. In March 2024, the legitimate developers of the real game reported a breach involving the theft of $20,000 in cryptocurrency. Kaspersky researchers suspect that Lazarus Group was behind this earlier breach, repurposing the stolen source code to create the fake game. The malware was distributed through a ZIP file download containing the fake game, which required registration but also executed malicious code.

Lazarus Group's attack involved sophisticated social engineering techniques to lure cryptocurrency investors. Kaspersky reported that the group built an extensive social media presence over several months using AI-generated content and contacting crypto influencers to promote the fake game. The attackers regularly posted on X from multiple accounts to promote their game. The attack chain also included a validator in the form of shellcode that gathered system information to determine if the infected device was worth further exploitation. The payload delivered after this phase remains unknown.