One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601740 |
| Date de publication | 2024-10-25 16:11:10 (vue: 2024-10-25 17:07:17) |
| Titre | The Crypto Game of Lazarus APT: Investors vs. Zero-days |
| Texte | ## Snapshot Researchers at Kaspersky identified a cyberattack campaign by the Lazarus APT (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) group and its BlueNoroff subgroup (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which exploited a zero-day vulnerability in Google Chrome to execute remote code through a fake decentralized finance (DeFi) game targeting individuals in the cryptocurrency space. ## Description The attackers used a type confusion in V8 vulnerability in Google Chrome\'s Maglev optimizing compiler, [CVE-2024-4947](https://security.microsoft.com/intel-explorer/cves/CVE-2024-4947/), to gain read/write access to the entire address space of the Chrome process. They bypassed the V8 sandbox by exploiting a vulnerability in the Irregexp VM, allowing attackers to access memory outside the bounds of the register arrays, and to manipulate pointers and execute shellcode. The campaign involved social engineering tactics, including a malicious website that offered to download a beta version of the computer game called "DeTankZone" as a lure, which was a modified version of a legitimate game called DeFiTankLand. The initial infiltration was done through a hidden script on the website that exploited the Chrome vulnerabilities, allowing attackers to gain full control of the victim\'s device. The attackers built a presence on social media platforms and attempted to contact cryptocurrency influencers to promote their malicious website. Kaspersky reported the zero-day vulnerability to Google, which [released an update](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html) to fix the issue in May 2024 on Chrome version 125.0.6422.60/.61. ## Microsoft Analysis and Additional OSINT Context [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/) attributes this activity to [Moonstone Sleet](https://security.microsoft.com/intel-profiles/8ba84cecf73bd9aca4e4ff90230dc1f277c039f78c40c1938b6f74b1b7cce20f), a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned. Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using the malicious tank game DeTankWar, also called DeFiTankWar, DeTankZone, or TankWarsZone. The game is portrayed as a nonfungible token (NFT)-enabled play-to-earn game, available on Windows, Mac, and Linux. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms, such as LinkedIn and Telegram, or by email with a link to download the game. When targeted users launch the game, the ZIP file is downloaded, and multiple malicious DLLs are loaded. This leads to connections to command-and-control (C2) infrastructure using a custom malware loader Microsoft calls YouieLoad. YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft. The threat actors presented themselves as game developers seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies like one called C.C. Waterfall, a purported IT consulting organization. Moonstone Sleet created a robust public campaign that includes the websites detankwar\[.\]com and defitankzone\[.\]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself. In a similar campaign, Moonstone Sleet sent emails, also using its fake company C.C. Waterfall, where they emailed higher education organizations, again, claiming the company was |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 0m0au 125 2024 2024** 2147055878 365/security/defender 4947 4947/ 5zkgrpa3 60/ 6422 8jda7ij `//detect `devicenetworkevents` `let access accessed accounts action activity activity: actor actors added addition additional address advanced again against age alert alerts aligned all allowing also analysis antivirus any approach approaches apt apt: are arrays artifacts as: assesses associated attack attacker attackers attacks attempted attributes authority automated available bag based been behavior:win32/payloaddropinint behavior:win32/suspmoduleload behind beta beye05v7gsvduovezeo2uw4kzvl4c2qsacaaa&timerangeid=week bleeping bleepingcomputer block blockchain bluenoroff bounds breach breaches browser built business bypassed c2servers called calls campaign can capabilities cards center changes channel chrome claiming client cloud cluster code collaboration collection com com/2024/05/stable com/defender com/en com/intel com/lazarus com/microsoft com/news/security/lazarus com/v2/advanced combination command commands common companies company compiler components compromised computer conducts configure confusion connections connectivity consulting contact content context control controlled copyright cover created creates credential criterion crypto cryptocurrency custom customers cve cyberattack d3df2txtfqo data day day/ days decentralized defend defender defi defitankland defitankwar defitankzone delivered dender description desktop detank detankwar detankzone detect detected detecting detection detections/hunting developer developers device deviceid devicename devices dha&threatid= diamond discovery disruptive distribution dlls does done download downloaded dynamic earn edr education either email emailed emails emerges enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable endpoint/prevent engineering ensure entire equivalent espionage even evolving exe executable execute execution expanding exploit exploited exploiting explorer/articles/a8c96e40 explorer/cves/cve fake february file files finance first fix folder folders follow following from full functions further fwuxsdadkgle92 gain game game/114282/ google googleblog group hackers hands hardening has hidden higher hiring however html https://chromereleases https://learn https://securelist https://security https://www human hunting identified immediate include includes including indicate individuals infect infecting infiltration influencers infrastructure initial initiatingprocesscommandline initiatingprocessfilename instead interest investigation investigations investment investors involved irregexp isnorth issue its itself kaspersky keyboard korean launch launches lazarus leads learning legitimate let like link linked linkedin linux list loaded loader loads local localip looking lsass lure m365 mac machine maglev majority malicious malware manage manipulate many masquerading matrixane may media meet memory messaging methodologies microsoft might mimikatz mingeloem mitigations mode modified monitored moonstone multiple mynxbwkdtkvanwakrbhfre6ig8cuxe name=behavior:win32/payloaddropinpd name=behavior:win32/suspmoduleload name=trojandropper:win64/youieload network new nft non nonfungible north not obfuscated observed offered one on operated operations opportunities optimizing organization organizations osint other outside overview part particular passive payloads perform permission personas platforms play playbook pointers portrayed post potentially premises presence presented prevalence prevent process product profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1 profiles/8ba84cecf73bd9aca4e4ff90230dc1f277c039f78c40c1938b6f74b1b7cce20f profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5 prohibited project promote protection protection#how protections provided public purported queries query query=h4siaolptmyaa4wrw0vdubce59lfktdbkbb6kj5vhyjiex0skzaebdsxkorwwr ransomware rapidly read/write recent recommendations recommends reducing reduction referen |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.