A North Korean threat actor has been found exploiting a zero-day vulnerability in Chromium, now designated as CVE-2024-7971. The exploit, which enables remote code execution (RCE), is being attributed with high confidence to a North Korean group known as Citrine Sleet. The actor primarily targets the cryptocurrency sector for financial gain.
Microsoft’s ongoing analysis has linked the observed exploitation of CVE-2024-7971 to Citrine Sleet. The threat actor has previously been associated with other North Korean groups, including Diamond Sleet, which shares tools and infrastructure with Citrine Sleet. The FudModule rootkit, which has been deployed in this attack, has also been attributed to Diamond Sleet, indicating a possible overlap between the two threat actors.
Google released a fix for the vulnerability on 21 August and urged users to update their Chromium-based browsers to the latest version.
Vulnerability Details
CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, affecting versions of Chromium prior to 128.0.6613.84. The vulnerability enables malefactors to execute remote code in the sandboxed Chromium renderer process. This is the third V8 type confusion vulnerability patched this year, following CVE-2024-4947 and CVE-2024-5274.
Microsoft notified affected customers directly and provided them with guidance to secure their systems against this attack.
Citrine Sleet’s Tactics and Targeting
Citrine Sleet is a North Korean threat actor known for targeting financial institutions and individuals managing cryptocurrency assets. The group uses social engineering tactics to lure targets into downloading weaponized applications or visiting malicious websites. Their primary malware, AppleJeus, has been used to gain control over cryptocurrency assets.
In this latest attack, Citrine Sleet directed targets to a malicious domain, voyagorclub[.]space, where the zero-day exploit for CVE-2024-7971 was served. The attack chain also included the use of CVE-2024-38106, a Windows kernel vulnerability that Microsoft patched earlier in August. Once the sandbox escape exploit was successful, the FudModule rootkit was deployed.
FudModule Rootkit
FudModule is sophisticated rootkit malware that targets Windows-based systems by manipulating kernel security mechanisms. Diamond Sleet has been using the rootkit since 2021 and has evolved over time to evade detection.
Additional research by Avast, uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule 2.0,” which features malicious loaders and a late-stage remote access trojan (RAT). This attack chain showed that a previously unknown malware, Kaolin RAT, was the culprit behind loading the FudModule rootkit to targeted devices.
Mitigation and Recommendations
Microsoft has released security updates to address the vulnerabilities exploited in this attack. Users are urged to update their systems and browsers to the latest versions. Additionally, Microsoft recommends implementing the following security measures:
- Keep systems and applications up to date: Apply security patches promptly and ensure that browsers like Chrome and Edge are updated to the latest versions.
- Enable network protection: Use Microsoft Defender for Endpoint to block malicious websites and phishing attempts.
- Run endpoint detection and response (EDR) in block mode: This helps block malicious artifacts even if they are not detected by antivirus software.
- Turn on cloud-delivered protection: This feature in Microsoft Defender Antivirus helps protect against rapidly evolving threats.
- Enable real-time protection: Ensure that real-time protection is active to detect and block malicious activity.
As North Korean threat actors continue to target the cryptocurrency sector, organizations must remain vigilant and implement robust security measures to protect their assets.
For more information on this threat and detailed guidance on mitigation, please read Microsoft’s full blog.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.