Microsoft has unveiled a sophisticated cyber campaign orchestrated by North Korean threat actors, exploiting a recently patched Google Chrome zero-day vulnerability (CVE-2024-7971) to deploy the notorious FudModule rootkit. This revelation underscores the persistent threat posed by state-sponsored hacking groups to the global financial sector, particularly cryptocurrency organizations.
Citrine Sleet: The Culprit Behind the Attacks
Microsoft attributes the attacks with “high confidence” to a North Korean hacking group known as Citrine Sleet, previously identified as DEV-0139, AppleJeus, Labyrinth Chollima, or UNC4736 by various cybersecurity firms. This group has a history of targeting financial institutions, with a particular focus on cryptocurrency organizations, in pursuit of financial gain.
The group’s tactics have evolved, as evidenced by their March 2023 attack on 3CX, where they compromised the 3CXDesktopApp client to distribute malware to the company’s customers. This supply chain attack was itself the result of another supply chain compromise targeting Trading Technologies, a firm specializing in automated stock trading.
Anatomy of the Attack: From Chrome to Windows Kernel
The attack chain begins with the exploitation of CVE-2024-7971, a type confusion vulnerability in Chrome’s V8 JavaScript engine. This flaw, patched in mid-August 2024, was discovered by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
Victims are lured to a malicious website (voyagorclub[.]space) controlled by the attackers. The vulnerability allows for remote code execution within the rendering process of Chromium-based browsers, effectively escaping the sandbox.
Following the sandbox escape, the compromised browser is used to download an exploit for a Windows kernel vulnerability (CVE-2024-38106). This second exploit elevates privileges to SYSTEM level, providing the attackers with full control over the victim’s machine.
FudModule: A Sophisticated Rootkit
The final payload in this attack chain is the FudModule rootkit. This malware is loaded into the victim’s device memory and is capable of interfering with the kernel and directly manipulating kernel objects. This level of access allows the attackers to bypass security mechanisms effectively.
FudModule was first detected in October 2022 and has been previously associated with another North Korean group, Diamond Sleet. The shared use of malicious tools and infrastructure between Citrine Sleet and Diamond Sleet suggests a possible connection or collaboration between these threat actors.
Ongoing Threats and Mitigation
Microsoft’s report also highlights a zero-day vulnerability in the Windows AFD.sys driver (CVE-2024-38193), discovered by Gen Threat Labs and patched on August 13. This vulnerability was exploited by Diamond Sleet in attacks using the FudModule rootkit, further emphasizing the persistent threat posed by these groups.
To mitigate these risks, organizations, especially those in the cryptocurrency sector, should prioritize prompt patching of vulnerabilities, implement robust security measures, and maintain vigilant monitoring for suspicious activities. The interconnected nature of these attacks, involving multiple vulnerabilities and shared tools among threat groups, underscores the importance of a comprehensive and proactive cybersecurity strategy.
As North Korean cyber operations continue to evolve and target high-value financial targets, collaboration between cybersecurity firms, technology companies, and targeted sectors becomes crucial in defending against these sophisticated threats. Staying informed about the latest attack vectors and maintaining a strong security posture are essential steps in protecting against state-sponsored cyber campaigns.