{"id":23526,"date":"2024-11-08T19:10:43","date_gmt":"2024-11-08T15:10:43","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23526"},"modified":"2024-11-08T19:10:43","modified_gmt":"2024-11-08T15:10:43","slug":"how-to-play-tanks-and-catch-backdoor","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/how-to-play-tanks-and-catch-backdoor\/23526\/","title":{"rendered":"How (not) to play tanks and catch a backdoor"},"content":{"rendered":"<p>Battle City, colloquially known as \u201cthat tank game\u201d, is a symbol of a bygone era. Some 30 years ago, gamers would pop a cartridge into their console, settle in front of a bulky TV, and obliterate waves of enemy tanks until the screen gave out.<\/p>\n<p>Today, the world\u2019s a different place, but tank games remain popular. Modern iterations offer gamers not just the thrill of gameplay but also the chance to earn NFTs. Cybercriminals too have something to offer: a sophisticated attack targeting crypto-gaming enthusiasts.<\/p>\n<h2>Backdoor and zero-day exploit in Google Chrome<\/h2>\n<p>This story begins in February 2024, when <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">our security solution<\/a>\u00a0detected the Manuscrypt backdoor on a user\u2019s computer in Russia. We\u2019re very familiar with this backdoor; various versions of it have been used by the <a href=\"https:\/\/www.kaspersky.com\/blog\/lazarus-vhd-ransomware\/36559\/\" target=\"_blank\" rel=\"noopener nofollow\">Lazarus APT<\/a> group since at least 2013. So, given we already know the main tool and methods used by the attackers \u2014 what\u2019s so special about this particular incident?<\/p>\n<p>The thing is that these hackers typically target large organizations like banks, IT companies, universities, and even government agencies. But this time, Lazarus hit an individual user, planting a backdoor on a personal computer! The cybercriminals lured the victim to a game site and thereby gained complete access to their system. Three things made this possible:<\/p>\n<ul>\n<li>The victim\u2019s irresistible desire to play their favorite tank game in a new format<\/li>\n<li>A zero-day vulnerability in Google Chrome<\/li>\n<li>An exploit that allowed remote code execution in the Google Chrome process<\/li>\n<\/ul>\n<p>Before you start to worry, relax: Google has since released a browser update, blocked the tank game\u2019s website, and <a href=\"https:\/\/chromereleases.googleblog.com\/2024\/05\/stable-channel-update-for-desktop_15.html\" target=\"_blank\" rel=\"nofollow noopener\">thanked<\/a> the Kaspersky security researchers. But just in case, <a href=\"https:\/\/me-en.kaspersky.com\/home-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">our products<\/a>\u00a0detect both the Manuscrypt backdoor and the exploit. We\u2019ve delved into the details of this story on the <a href=\"https:\/\/securelist.com\/lazarus-apt-steals-crypto-with-a-tank-game\/114282\/\" target=\"_blank\" rel=\"noopener\">Securelist blog<\/a>.<\/p>\n<h2>Fake accounts<\/h2>\n<p>At the start of the investigation, we thought the group had gone to extraordinary lengths this time: \u201cDid they actually create an entire game just for a scam?\u201d But we soon worked out what they\u2019d really done. The cybercriminals based their game \u2014 DeTankZone \u2014 on the existing game DeFiTankLand. They really went all out, stealing the source code of DeFiTankLand and creating fake social media accounts for their counterfeit.<\/p>\n<p>Around the same time, in March 2024, the price of the DefitankLand (sic) cryptocurrency plummeted \u2014 the developers of the original game <a href=\"https:\/\/t.me\/DFTLofficial\/8935\" target=\"_blank\" rel=\"nofollow noopener\">announced<\/a> that their <a href=\"https:\/\/www.kaspersky.com\/blog\/five-threats-hardware-crypto-wallets\/47971\/#:~:text=Hot%20and%20cold%2C%20hardware%20and%20software%20wallets\" target=\"_blank\" rel=\"noopener nofollow\">cold wallet<\/a> had been hacked, and \u201csomeone\u201d had stolen $20,000. The identity of this \u201csomeone\u201d remains a mystery. The developers believe it was an insider, but we suspect that the ever-present tentacles of Lazarus are involved.<\/p>\n<div id=\"attachment_52568\" style=\"width: 1810px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185316\/how-to-play-tanks-and-catch-backdoor-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-52568\" class=\"size-full wp-image-52568\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185316\/how-to-play-tanks-and-catch-backdoor-1.png\" alt=\"Differences between the fake and the original are minimal\" width=\"1800\" height=\"864\"><\/a><p id=\"caption-attachment-52568\" class=\"wp-caption-text\">Differences between the fake and the original are minimal<\/p><\/div>\n<p>The cybercriminals orchestrated a full-blown promotion campaign for their game: they boosted follower counts on X (formerly Twitter), sent collaboration offers to hundreds of cryptocurrency influencers (also potential victims), created premium LinkedIn accounts, and organized waves of phishing emails. As a result, the fake game got even more traction than the <a href=\"https:\/\/twitter.com\/defitankland\" target=\"_blank\" rel=\"nofollow noopener\">original<\/a> (6000 followers on X, versus 5000 for the original game\u2019s account).<\/p>\n<div id=\"attachment_52567\" style=\"width: 1325px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185336\/how-to-play-tanks-and-catch-backdoor-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-52567\" class=\"size-full wp-image-52567\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185336\/how-to-play-tanks-and-catch-backdoor-2.png\" alt=\"Social media content created by AI with the help of graphic designers\" width=\"1315\" height=\"696\"><\/a><p id=\"caption-attachment-52567\" class=\"wp-caption-text\">Social media content created by AI with the help of graphic designers<\/p><\/div>\n<h2>How we played tanks<\/h2>\n<p>Now for the most fun part\u2026<\/p>\n<p>The malicious site that Lazarus lured their victims to offered a chance, not only to \u201ctry out\u201d a zero-day browser exploit, but also to play a beta version of the game. Now, here at Kaspersky, we respect the classics, so we couldn\u2019t resist having a go on this promising new version. We downloaded an archive that seemed completely legitimate: 400MB in size, correct file structure, logos, UI elements, and 3D model textures. Boot her up!<\/p>\n<p>The DeTankZone start menu greeted us with a prompt to enter an email address and password. We first tried logging in using <a href=\"https:\/\/www.kaspersky.com\/blog\/password-can-be-hacked-in-one-hour\/51469\/#:~:text=Using%20popular%20words%20and%20number%20sequences\" target=\"_blank\" rel=\"noopener nofollow\">common passwords<\/a> like \u201c12345\u201d and \u201cpassword\u201d but that doesn\u2019t work. \u201cFine, then\u201d, we think. \u201cWe\u2019ll just register a new account\u201d. Again, no luck \u2014 the system wouldn\u2019t let us play.<\/p>\n<div id=\"attachment_52566\" style=\"width: 1930px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185420\/how-to-play-tanks-and-catch-backdoor-3.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-52566\" class=\"size-full wp-image-52566\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185420\/how-to-play-tanks-and-catch-backdoor-3.png\" alt=\"The start menu inspires confidence with a seemingly legitimate login form\" width=\"1920\" height=\"1080\"><\/a><p id=\"caption-attachment-52566\" class=\"wp-caption-text\">The start menu inspires confidence with a seemingly legitimate login form<\/p><\/div>\n<p>So why were there 3D model textures and other files in the game archive? Could they really have been other components of the malware? Actually, it wasn\u2019t that bad. We reverse-engineered the code and discovered elements responsible for the connection to the game server \u2014 which, for this fake version, was non-functional. So, in theory, the game was still playable. A bit of time spent, a little programming, and <em>voil\u00e0<\/em> \u2014 we replace the hackers\u2019 server with our own, and the red tank \u201cBoris\u201d enters the arena.<\/p>\n<div id=\"attachment_52565\" style=\"width: 1556px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185452\/how-to-play-tanks-and-catch-backdoor-4.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-52565\" class=\"size-full wp-image-52565\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/11\/08185452\/how-to-play-tanks-and-catch-backdoor-4.png\" alt=\"The game reminded us of shareware games from 20 years ago \u2014 which made all the effort worthwhile\" width=\"1546\" height=\"806\"><\/a><p id=\"caption-attachment-52565\" class=\"wp-caption-text\">The game reminded us of shareware games from 20 years ago \u2014 which made all the effort worthwhile<\/p><\/div>\n<h2>Lessons from this attack<\/h2>\n<p>The key takeaway here is that even seemingly harmless web links can end up with your entire computer being hijacked. Cybercriminals are constantly refining their tactics and methods. Lazarus is already using generative AI with some success, meaning we can expect even more sophisticated attacks involving it in the future.<\/p>\n<p><a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Security solutions<\/a> are also evolving with effective integration of AI \u2014 learn more <a href=\"https:\/\/www.kaspersky.com\/blog\/ai-role-in-cybersecurity-automation\/52448\/\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a> and <a href=\"https:\/\/www.kaspersky.com\/blog\/ai-cybersecurity-practical-soc-usage\/52474\/\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>. All ordinary internet users have to do is make sure their devices are <a href=\"https:\/\/me-en.kaspersky.com\/home-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">protected<\/a><strong>,<\/strong> and stay informed about the latest scams. Fortunately, the Kaspersky Daily blog makes this easy \u2014 <a href=\"https:\/\/www.kaspersky.com\/blog\/subscribe\/\" target=\"_blank\" rel=\"noopener nofollow\">subscribe<\/a> to stay updated\u2026<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals have devised a new ruse: luring gamers to a modish crypto tank-game to gain full access to their computers.<\/p>\n","protected":false},"author":2706,"featured_media":23529,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1225,1486],"tags":[1505,163,76,695,2791],"class_list":{"0":"post-23526","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-threats","9":"tag-cryptocurrencies","10":"tag-gaming","11":"tag-phishing","12":"tag-scam","13":"tag-zero-day-vulnerability"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/how-to-play-tanks-and-catch-backdoor\/23526\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/how-to-play-tanks-and-catch-backdoor\/28271\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-play-tanks-and-catch-backdoor\/28412\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/how-to-play-tanks-and-catch-backdoor\/27787\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/how-to-play-tanks-and-catch-backdoor\/30528\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/how-to-play-tanks-and-catch-backdoor\/29279\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/how-to-play-tanks-and-catch-backdoor\/38498\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/how-to-play-tanks-and-catch-backdoor\/12940\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-to-play-tanks-and-catch-backdoor\/52561\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/how-to-play-tanks-and-catch-backdoor\/22352\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/how-to-play-tanks-and-catch-backdoor\/23095\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/how-to-play-tanks-and-catch-backdoor\/28482\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-to-play-tanks-and-catch-backdoor\/34367\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-to-play-tanks-and-catch-backdoor\/33992\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/scam\/","name":"scam"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23526"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23526\/revisions"}],"predecessor-version":[{"id":23530,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23526\/revisions\/23530"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23529"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}