North Korean Cybercriminals Deploy FudModule Rootkit via Chrome Zero-Day Vulnerability
An unpatched security vulnerability in Google Chrome and other Chromium-based web browsers was exploited by North Korean hackers as a zero-day attack in a campaign aimed at distributing the FudModule rootkit.
This incident demonstrates the ongoing efforts undertaken by the nation-state adversary, with a pattern of integrating numerous Windows vulnerabilities into their toolkit over recent months.
Microsoft, which identified the activity on August 19, 2024, attributed it to a threat actor referred to as Citrine Sleet (formerly known as DEV-0139 and DEV-1222), also recognized by aliases such as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. This entity is considered a sub-group within the Lazarus Group (also known as Diamond Sleet and Hidden Cobra).
It should be noted that AppleJeus malware has previously been linked by Kaspersky to another Lazarus subgroup named BlueNoroff (also identified as APT38, Nickel Gladstone, and Stardust Chollima), revealing shared infrastructure and toolsets among these threat actors.
“Citrine Sleet is located in North Korea and focuses primarily on financial institutions, particularly entities and individuals involved in managing cryptocurrencies, for financial gain,” stated the Microsoft Threat Intelligence team report.
“As part of its social engineering strategies, Citrine Sleet extensively researches the cryptocurrency sector and associated individuals.”
The attack vectors commonly involve creating deceptive websites posing as legitimate cryptocurrency trading platforms with the aim of deceiving users into installing malicious cryptocurrency wallets or trading applications that enable the theft of digital assets.
The exploited zero-day attack by Citrine Sleet leveraged the vulnerability CVE-2024-7971, a critical type confusion flaw in the V8 JavaScript and WebAssembly engine, enabling threat actors to achieve remote code execution (RCE) in the isolated Chromium renderer process. This vulnerability was remedied by Google in the recent updates.
As highlighted by The Hacker News previously, CVE-2024-7971 marks the third type confusion vulnerability in V8 actively abused by Google this year after CVE-2024-4947 and CVE-2024-5274.
The extent of these attacks and their targets remains uncertain, but the victims were directed to a malevolent website named voyagorclub[.]space, possibly through social engineering tactics, triggering the CVE-2024-7971 exploit.
The RCE exploit facilitated the injection of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which establishes administrator-to-kernel access on Windows systems to enable basic read/write operations and execute [direct kernel object manipulation].”
CVE-2024-38106, a Windows kernel privilege escalation vulnerability, is one of the six actively exploited security flaws that Microsoft addressed in the August 2024 Patch Tuesday update. Notably, the exploitation by Citrine Sleet occurred post the release of the fix.
“This might indicate a ‘bug collision,’ where the same vulnerability is independently discovered by distinct threat actors, or information about the vulnerability was shared by a single researcher with multiple parties,” according to Microsoft.
CVE-2024-7971 constitutes the third vulnerability capitalized upon by North Korean threat actors this year to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the inherent Windows drivers addressed by Microsoft in February and August.
“The CVE-2024-7971 exploitation chain relies on various components to compromise a target, and this chain collapses if any of these components are blocked, including CVE-2024-38106,” Microsoft noted.
“Zero-day exploits mandate not only system updates but also security solutions offering comprehensive insight into the cyberattack process to identify and prevent malicious activities post-exploitation.”
About Author
