North Korean hackers have exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges using a Windows Kernel exploit.
“We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain,” Microsoft said on Friday, attributing the attacks to Citrine Sleet (previously tracked as DEV-0139).
Other cybersecurity vendors track this North Korean threat group as AppleJeus, Labyrinth Chollima, and UNC4736, while the U.S. government collectively refers to malicious actors sponsored by the North Korean government as Hidden Cobra.
Citrine Sleet targets financial institutions, focusing on cryptocurrency organizations and associated individuals, and has been previously linked to Bureau 121 of North Korea’s Reconnaissance General Bureau.
The North Korean hackers are also known for using malicious websites camouflaged as legitimate cryptocurrency trading platforms to infect potential victims with fake job applications or weaponized cryptocurrency wallets or trading apps.
UNC4736 trojanized the Electron-based desktop client of video conferencing software maker 3CX in March 2023, following a previous supply-chain attack in which they breached the site of Trading Technologies, a stock trading automation company, to push trojanized X_TRADER software builds.
Google’s Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies’ website in a March 2022 report. The U.S. government also warned about North Korean-backed state hackers targeting cryptocurrency-related companies and individuals with AppleJeus malware for years.
Windows Kernel downloaded in Chrome zero-day attack
Google patched the CVE-2024-7971 zero-day last week, describing it as a type confusion weakness in Chrome’s V8 JavaScript engine. This vulnerability enabled the threat actors to gain remote code execution in the sandboxed Chromium renderer process of targets redirected to an attacker-controlled website at voyagorclub[.]space.
After escaping the sandbox, they used the compromised web browser to download a Windows sandbox escape exploit targeting the CVE-2024-38106 flaw in the Windows Kernel (fixed during this month’s Patch Tuesday), which enabled them to gain SYSTEM privileges.
The threat actors also downloaded and loaded the FudModule rootkit into memory, which was used for kernel tampering and direct kernel object manipulation (DKOM) and allowed them to bypass kernel security mechanisms.
Since its discovery in October 2022, this rootkit has also been used by Diamond Sleet, another North Korean hacking group with which Citrine Sleet shares other malicious tools and attack infrastructure.
“On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs,” Microsoft said on Friday.
“In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access.”
Redmond added that one of the organizations targeted in attacks exploiting the CVE-2024-7971 Chrome zero-day was also previously targeted by another North Korean threat group tracked as BlueNoroff (or Sapphire Sleet).