Threat Research

Lazarus Group Uses Google Chrome Zero-Day to Steal Cryptocurrency in ‘DeTankZone’ Campaign (CVE-2024-4947) – SOCRadar® Cyber Intelligence Inc.

SocRadar

In early 2024, the Lazarus APT group exploited a critical Google Chrome zero-day (CVE-2024-4947) to promote a fake DeFi game called DeTankZone, triggering code execution simply by visiting the malicious site. Google patched the flaw in May 2024, but the campaign underscores the ongoing risk to cryptocurrency users from advanced threat actors and backdoors like Manuscrypt.

Keypoints

  • Vulnerability: CVE-2024-4947 is a critical type confusion flaw in Chrome’s V8 engine, enabling remote code execution (RCE).
  • Exploitation method: Lazarus used a malicious website to exploit the Chrome zero-day and run arbitrary code on visitors.
  • Malware linkage: The campaign is tied to Manuscrypt, a backdoor previously used by Lazarus.
  • Attack vector: Simply visiting the deceptive site was enough to trigger the exploit and gain control.
  • <bPromotion channels: The intrusion spread via social media ads, spear-phishing emails, and direct messages.
  • <bResponse & mitigation: Google released patches in May 2024; users should update Chrome to mitigate risk.
  • <bIndicators of Compromise (IOCs): Specific hashes and domains associated with the attack have been identified.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The vulnerability was used to execute arbitrary code on the target. Quote: “Exploiting CVE-2024-4947 enables attackers to steal valuable information like cookies, authentication tokens, browsing history, and saved passwords.”
  • [T1071] Command and Control – The attackers used a malicious website to control the compromised systems. Quote: “Used a malicious website to control the compromised systems.”
  • [T1566] Phishing – Promotions via social media ads, spear-phishing emails, and direct messages to lure victims. Quote: “The hackers launched promotions via ads on social media, spear-phishing emails, and direct messages.”
  • [T1003] Credential Dumping – Potentially stole cookies, authentication tokens, and saved passwords from victims. Quote: “Potentially stole cookies, authentication tokens, and saved passwords from victims.”

Indicators of Compromise

  • [Hash] Exploit hashes – MD5: B2DC7AEC2C6D2FFA28219AC288E4750C, SHA1: E5DA4AB6366C5690DFD1BB386C7FE0C78F6ED54F, SHA256: 7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A
  • [Hash] Game hashes – MD5: 8312E556C4EEC999204368D69BA91BF4, SHA1: 7F28AD5EE9966410B15CA85B7FACB70088A17C5F, SHA256: 59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC
  • [Domain] Detankzone[.]com, ccwaterfall[.]com

Read more: https://socradar.io/lazarus-exploits-google-chrome-zero-day-to-steal-cryptocurrency-in-detankzone-campaign-cve-2024-4947/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint