North Korean Hackers Actively Exploiting Chromium RCE Zero-Day In The Wild

Microsoft has identified a North Korean threat actor, Citrine Sleet, exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution on cryptocurrency targets. 

The threat actor deployed the FudModule rootkit, previously attributed to Diamond Sleet, suggesting potential shared use of malware between these North Korean threat actors.

The V8 JavaScript engine in Chrome versions prior to 128.0.6613.84 contained a type confusion vulnerability (CVE-2024-7971) that could be exploited to achieve remote code execution in the sandboxed renderer process. 

Google released a patch on August 21, 2024, and users should update to the latest version to mitigate the risk, which is the third V8 type confusion vulnerability patched this year, following CVE-2024-4947 and CVE-2024-5274.

Citrine Sleet, a North Korean threat actor targeting financial institutions, particularly cryptocurrency-related entities, uses social engineering to distribute AppleJeus malware by collecting information for seizing control of cryptocurrency assets. 

The recently discovered FudModule rootkit, previously attributed to Diamond Sleet, is now linked to Citrine Sleet, indicating shared tooling between the two groups.

North Korean hackers, Citrine Sleet, are exploiting vulnerabilities in cryptocurrency, gaming, and exchange platforms to raise funds for their regime, while Citrine Sleet and Sapphire Sleet have both targeted a specific vulnerability, CVE-2024-7971, demonstrating their ongoing interest in exploiting these sectors.

It has been linked to various aliases like AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, which are associated with Bureau 121 and have been actively involved in cyberattacks targeting various organizations worldwide. 

Citrine Sleet targeted victims through social engineering and directed them to a malicious domain.

Upon visiting the domain, users were exploited using a zero-day vulnerability (CVE-2024-7971) to gain remote code execution on their devices.

They exploited CVE-2024-38106 in the Windows kernel to escape a sandboxed Chromium renderer process and load a rootkit into memory, which was patched by Microsoft on August 13, 2024, before the exploit was publicly known. 

While the exploit activity was reported to Microsoft, it’s unclear if there’s a direct connection between this incident and the previously reported exploitation of CVE-2024-38106, which indicate either independent discovery or shared knowledge of the vulnerability.

FudModule, a sophisticated rootkit malware, targets kernel access by exploiting vulnerable drivers to establish admin-to-kernel privileges.

Threat actors have used FudModule since 2021, with recent variants exploiting a zero-day vulnerability in appid.sys to bypass detection and gain full control over Windows systems.

Recent research uncovered a new variant of FudModule, FudModule 2.0, deployed in an attack chain involving the Kaolin RAT, which exploits the CVE-2024-38193 vulnerability in the AFD.sys driver to establish full standard user-to-kernel access, allowing for the deployment of the FudModule rootkit and subsequent remote access capabilities.

Microsoft’s security update for CVE-2024-38106 blocks the CVE-2024-7971 exploit chain.

Customers should update their systems immediately to prevent exploitation and implementing a unified security solution can help detect and block post-compromise attacker tools.

https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download