A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited by North Korean actors in the FudModule rootkit campaign.
This development shows the persistent efforts of the adversary nation-state, which in recent months has made a habit of including many Windows zero-day exploits in its arsenal.
Microsoft, which discovered this activity on August 19, 2024, classified it as a threat it monitors as Citrine Slit (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It is believed to be a subcluster in the Lazarus group (aka Diamond Snow and Hidden Cobra).
It should be noted that the AppleJeus malware has been used before attributed to Kaspersky to another subgroup called Lazarus BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicating a shared infrastructure and toolset between these threat actors.
“Citrine Sleet is based in North Korea and primarily targets financial institutions, specifically organizations and individuals that manage cryptocurrency for financial gain,” Microsoft Threat Intelligence Team said.
“As part of its social engineering tactics, Citrine Sleet conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it.”
Attack chains usually include creating fake websites posing as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading programs that facilitate the theft of digital assets.
Citrine Sleet’s observed zero-day attack implied the use CVE-2024-7971A high-severity type of confusion vulnerability in the V8 JavaScript and WebAssembly engine could allow threat actors to obtain remote code execution (RCE) during the Chromium sandbox rendering process. It was fixed by Google as part of updates released last week.
As previously reported by The Hacker News, CVE-2024-7971 is the third heavily exploited V8 confusion bug that Google has addressed this year, following CVE-2024-4947 and CVE-2024-5274.
It is currently unclear how widespread these attacks were or who was targeted, but victims are said to have been directed to a malicious website called voyagerclub(.)space, possibly using social engineering techniques, which triggered an exploit for CVE- 2024-7971.
The RCE exploit, on the other hand, opens the way to obtain shellcode containing a Windows sandboxing exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish kernel administrator access to Windows systems. to allow primitive read/write functions and perform (direct manipulation of kernel objects).”
CVE-2024-38106, a Windows kernel privilege escalation flaw, is one of six actively exploited security flaws that Microsoft sanitized as part of the August 2024 Patch Tuesday update. However, it was discovered that exploits related to Citrine Sleet occurred after the patch was released.
“This may indicate a ‘bump collision’ where the same vulnerability is discovered independently by separate threat actors, or knowledge of a vulnerability has been shared by a single vulnerability researcher to multiple actors,” Microsoft said.
CVE-2024-7971 is also the third vulnerability North Korean threat actors have exploited this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193both of which are privilege escalation flaws in built-in Windows drivers and were patched by Microsoft in February and August.
“The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain does not work if any of these components are blocked, including CVE-2024-38106,” the company said.
“Zero-day exploits require not only keeping systems up-to-date, but also security solutions that provide unified visibility across the cyber attack chain to detect and block attacker tools post-hack and malicious activities post-exploitation.”
