browser-based zero-day on a cryptocurrency game website

Last week, another cybersecurity conference was held in Indonesia. Security Analyst Summitorganized by Kaspersky Lab. One of the key reports at the conference was devoted to the history of the discovery of a zero-day vulnerability in the Google Chrome browser back in May of this year. The vulnerability was used to attack visitors to the website of an online game that uses decentralized finance tools. A detailed analysis of two vulnerabilities leading to the execution of arbitrary code on the victim’s computer was also published on the Securelist website.

The attack was attributed to the Lazarus group, which regularly targets users of cryptocurrencies and related services. This attack is no exception and is of interest in itself: for maximum plausibility, the organizers used stolen code from a real multiplayer game about tanks. But a detailed description of vulnerabilities is no less valuable. In the vast majority of cases, only a meager description of the problem from the developer ends up in the public domain. In this case, the SAS presentation and publication explores the hole in the JavaScript compiler in detail.

The story began in May 2024, when a new attack was discovered that ultimately led to the launch of the famous Lazarus gang tool, the feature-rich Manuscrypt backdoor. The DeTankZone game website offered to download a trial version of the online game, and users were promised play-to-earn work, with payments in cryptocurrency. However, the game itself was posted on the site only as a distraction. The site itself contained malicious code that sequentially exploited a couple of vulnerabilities in the Google Chrome browser, which led to the execution of arbitrary code.

To distribute the game, a comprehensive campaign was carried out: accounts were created on social networks (X/Twitter and LinkedIn), from which the game was actively advertised to popular people from the world of cryptocurrency. They were promised advertising contracts, but in fact, all the attackers needed was a visit to the game’s website. Kaspersky Lab specialists reported the found vulnerability to Google, and they released a patch within two days. The active phase of the attack lasted approximately from February to May 2024.

Formally, the “main” vulnerability CVE-2024-4947 relates to the V8 JavaScript engine in Google Chrome. Currently, V8 uses an interpreter and one of three compilers to run JavaScript code. Several Just-In-Time compilers are used for optimization purposes. Thus, the compiler, codenamed TurboFan, generates machine code slowly, but the final result is optimized for maximum performance. The Sparkplug compiler generates unoptimized code, but does it as quickly as possible. Added to V8 at the end of 2023 (starting with Chrome 117), the Maglev compiler represents something in between: both compilation speed is quite high and optimization is at the same level. The vulnerability was discovered in it.

Error (described in detail in the original publications) causes type confusion, which in turn leads to memory corruption. As a result, attackers gain read and write access to the entire address space of the Google Chrome process. This, however, is not enough: it is also necessary to bypass the V8 sandbox, created specifically to prevent the exploitation of vulnerabilities in the engine.

A sandbox vulnerability due to the lack of certain instruction checks in JavaScript code allows memory to be accessed outside the sandbox in read-write mode. This problem does not have a CVE ID and was closed in March 2024. It remains unknown whether the Lazarus group used it as a zero-day vulnerability, or whether exploitation began after the patch was released. To develop the attack, the attackers needed other vulnerabilities that would allow them to increase privileges in the system. This part of the attack has not been investigated. Such an investigation would take time, and the decision was made to transfer information about the main vulnerability in the V8 engine to Google as quickly as possible.

An additional quest in this investigation was the game itself: the demo version distributed on a malicious site was not malicious, but it also did not work, and the server part was to blame. The authors of the report reverse-engineered the calls to the server and wrote their own server, with which they managed to launch the game.

Thus, the game turned out to be (semi-)working, and this could be considered the first time that attackers developed a real game to carry out an attack. But in fact, the game code was stolen. The actual game was called DefitankLand. The rate of the associated cryptocurrency DFTL2 collapsed after the developers’ wallet was hacked on March 2 and $20,000 worth of “crypto coins” were stolen from it. The report said that an insider was involved in the theft, but it can be assumed that this legitimate “crypto game” was hacked by the Lazarus group. Cryptocurrency was stolen, but also the game's source code, which was slightly modified and adapted for the malicious campaign.

In conclusion, Kaspersky Lab experts note that optimizing the JavaScript engine and creating new compilers leads to the emergence of new vulnerabilities. The same “sandbox” for the V8 engine can help in the fight against these vulnerabilities, when its code is freed from “childhood diseases”. Separately, the ingenuity of attackers from the Lazarus group is noted, using the latest technologies in cyber attacks.

What else happened

Another publication by Kaspersky Lab experts disassembles banking Trojan Grandoreiro targeting users in Brazil.

Dangerous vulnerability discovered in the free LibRAW library for working with RAW files from various cameras.

October set of patches for Samsung smartphones closes serious vulnerability in Samsung Exynos processors. The vulnerability has already been used in real attacks and can lead to privilege escalation.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *