North Korean hackers have exploited a recently patched zero-day vulnerability in Google Chrome to deploy the FudModule rootkit. The attack, attributed to the threat actor group Citrine Sleet, highlights the persistent efforts of nation-state adversaries to target financial institutions and cryptocurrency managers.
Key Takeaways
Threat Actor: Citrine Sleet, a subgroup within the Lazarus Group
Target: Financial institutions and cryptocurrency managers
Exploited Vulnerability: CVE-2024-7971 in the V8 JavaScript and WebAssembly engine
Payload: FudModule rootkit
Attack Vector: Fake cryptocurrency trading platforms
Exploitation of Chrome Zero-Day Vulnerability
The zero-day vulnerability, identified as CVE-2024-7971, is a high-severity type confusion flaw in the V8 JavaScript and WebAssembly engine. This vulnerability allows threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. Google patched this flaw as part of updates released last week.
Attribution to Citrine Sleet
Microsoft detected the activity on August 19, 2024, and attributed it to Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. This group is assessed to be a sub-cluster within the Lazarus Group, which is also known as Diamond Sleet and Hidden Cobra.
Attack Methodology
Citrine Sleet primarily targets financial institutions and individuals managing cryptocurrency. The group conducts extensive reconnaissance of the cryptocurrency industry and associated individuals. The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms. These websites trick users into installing weaponized cryptocurrency wallets or trading applications, facilitating the theft of digital assets.
Technical Details
The observed zero-day exploit attack involved the exploitation of CVE-2024-7971. Victims were directed to a malicious website named voyagorclub[.]space, likely through social engineering techniques. This triggered an exploit for CVE-2024-7971, allowing the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit. The rootkit establishes admin-to-kernel access to Windows-based systems, enabling read/write primitive functions and direct kernel object manipulation.
Additional Exploited Vulnerabilities
CVE-2024-38106, a Windows kernel privilege escalation bug, is one of six actively exploited security flaws that Microsoft remediated in its August 2024 Patch Tuesday update. The exploitation of this flaw by Citrine Sleet occurred after the fix was released, suggesting a possible 'bug collision' or shared knowledge among threat actors.
CVE-2024-7971 is the third vulnerability leveraged by North Korean threat actors this year to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193. Both of these are privilege escalation flaws in built-in Windows drivers and were fixed by Microsoft in February and August.
Mitigation and Recommendations
The CVE-2024-7971 exploit chain relies on multiple components to compromise a target. Blocking any of these components, including CVE-2024-38106, can disrupt the attack chain. Zero-day exploits necessitate not only keeping systems up to date but also employing security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity.
In today's digital age, protecting your business from cyber threats is more important than ever. BetterWorld Technology's cybersecurity experts are dedicated to safeguarding your data and infrastructure with comprehensive, tailored solutions. Whether you need proactive monitoring, threat assessment, or incident response, we have the expertise to keep your business secure. Book a consultation with us now and take the first step toward fortifying your cybersecurity defenses with BetterWorld Technology.
Sources
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit, The Hacker News.