Lazarus APT group targets crypto investors with AI tactics

Kaspersky's Global Research and Analysis Team has identified a sophisticated malicious campaign orchestrated by the Lazarus Advanced Persistent Threat group, targeting cryptocurrency investors globally.

In May 2024, Kaspersky experts, through analysis of incidents within the Kaspersky Security Network telemetry, discovered an attack involving Manuscrypt malware, which Lazarus has used since 2013 in over 50 documented campaigns across various industries. Further examination uncovered a complex malicious campaign that heavily utilised social engineering techniques and generative AI to exploit cryptocurrency investors.

The Lazarus group is notorious for its intricate attacks on cryptocurrency platforms, often utilising zero-day exploits. The newly uncovered campaign was no exception, with Kaspersky researchers identifying two exploited vulnerabilities, including an unknown-type confusion bug in Google's V8 JavaScript and WebAssembly engine. This zero-day vulnerability, later fixed as CVE-2024-4947 after being reported by Kaspersky, enabled the execution of arbitrary code, bypassing security features and various other malicious activities.

An additional vulnerability was used to circumvent Google Chrome's V8 sandbox protection. The attackers leveraged these vulnerabilities via a meticulously crafted fake game website that lured users into competing globally with NFT tanks. To enhance the campaign's credibility, elaborate efforts were made to build trust, including creating social media accounts on platforms such as X (formerly Twitter) and LinkedIn and using AI-generated images for promotional purposes.

Lazarus also engaged cryptocurrency influencers to further promote the campaign, aiming to leverage their social media presence to distribute and directly target their crypto accounts.

Boris Larin, Principal Security Expert at Kaspersky's Global Research and Analysis Team, commented, "While we've seen APT actors pursuing financial gain before, this campaign was unique. The attackers went beyond typical tactics by using a fully functional game as a cover to exploit a Google Chrome zero-day and infect targeted systems."

"With notorious actors like Lazarus, even seemingly innocuous actions—such as clicking a link on a social network or in an email—can result in the complete compromise of a personal computer or an entire corporate network. The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide."

Kaspersky experts found a legitimate game that seemed to have served as a prototype for the attackers' version. Shortly after launching their campaign, the genuine game developers reported that USD $20,000 in cryptocurrency had been transferred from their wallet. The logo and design of the fake game closely imitated the original, differing slightly in logo placement and visual quality. Given these similarities and overlaps in the code, Kaspersky experts assert that members of Lazarus took significant steps to legitimise their attack by creating a fake game using stolen source code and altering logos and references to reinforce their version's authenticity.