A recently patched security vulnerability in Google Chrome and other Chromium-based browsers has been exploited by North Korean cyberactors, who used it to distribute the FudModule rootkit in a targeted attack campaign.
The recent cyberattack serves as a stark reminder of the persistence and sophistication exhibited by nation-state adversaries, who have consistently incorporated large volumes of Windows zero-day exploits into their arsenal over the past few months.
Microsoft, which detected the exercise on August 19, 2024, attributed it to a risk actor they track under multiple monikers, including (previously known as DEV-0139 and DEV-1222), also referred to as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. The Lazarus Group’s sub-cluster, operating under the aliases of Diamond Sleet and Hidden Cobra.
The fact that AppleJeus malware usage was previously attributed to Kaspersky is notable, with its association to a distinct Lazarus subgroup – also referred to as APT38, Nickel Gladstone, and Stardust Chollima – hinting at infrastructure and toolset sharing between these malicious actors.
Microsoft’s 365 Threat Intelligence reports that Citrine Sleet is a highly targeted attack group operating from North Korea, primarily focusing on financial institutions, including organizations and individuals involved in cryptocurrency management, with the goal of financial gain.
“Citrine Sleet has conducted comprehensive reconnaissance within the cryptocurrency ecosystem, targeting key individuals and entities involved in this space as part of its social engineering tactics.”
Malicious entities create fake websites purporting to be legitimate cryptocurrency trading platforms, aiming to deceive users into installing malicious cryptocurrency wallets or trading software that enables the theft of digital assets.
A recent zero-day exploit attack, dubbed Citrine Sleet, targeted a critical vulnerability in Google’s V8 JavaScript and WebAssembly engine, which could allow attackers to execute arbitrary code remotely in the Chrome browser’s sandboxed environment, posing a high-severity threat to users. The security vulnerability was patched by Google as part of its regular software updates released last week.
According to previous statements from The Hacker Information, CVE-2024-7971 is a third actively exploited type of confusion bug in V8 that Google resolved 12 months after its discovery.
Although the extent and targeting of these attacks remain unclear, it is reported that victims were redirected to a malicious website, Voyagorclub.house, following social engineering tactics, ultimately prompting exploitation of the CVE-2024-7971 vulnerability.
The RCE exploit, by its design, facilitates the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which enables admin-to-kernel escalation in Windows-based programs, allowing for read/write primitive capabilities and direct kernel object manipulation.
The CVE-2024-38106 vulnerability, a Windows kernel privilege escalation flaw, is reportedly among the six actively exploited security issues remedied by Microsoft through its August 2024 Patch Tuesday update. It has been confirmed that the Citrine Sleet-connected exploitation of the vulnerability commenced following the deployment of the patch.
“This may lead to a ‘bug collision,’ where the same vulnerability is independently discovered by multiple threat actors, or information about the vulnerability is shared among several researchers,” Microsoft said.
CVE-2024-7971 marks the third instance this year where North Korean threat actors have exploited a Windows driver vulnerability to deliver the FudModule rootkit, following two previous privilege escalation flaws discovered and patched by Microsoft in February and August.
According to the company, the CVE-2024-7971 exploit chain relies on several components to breach a target, and this attack chain is unsuccessful if any of these components are obstructed, including CVE-2024-38106.
“To effectively counter zero-day exploits, it’s crucial to maintain software updates alongside robust security measures providing real-time visibility across the entire attack chain, enabling detection and blocking of post-exploitation attacker tools and malicious activities.”
