North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit

August 30, 2024

North Korean hackers, identified as Citrine Sleet, have exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy a rootkit named FudModule. This was done after gaining SYSTEM privileges using a Windows Kernel exploit. Microsoft stated with high confidence, "We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain."

Other cybersecurity vendors track this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736. The U.S. government refers to malicious actors sponsored by the North Korean government collectively as Hidden Cobra. Citrine Sleet mainly targets financial institutions, with a particular focus on cryptocurrency organizations and related individuals. It has been previously linked to Bureau 121 of North Korea's Reconnaissance General Bureau.

The North Korean hackers are also known for their strategy of using malicious websites disguised as legitimate cryptocurrency trading platforms to infect potential victims with fake job applications or weaponized cryptocurrency wallets or trading apps. In a previous supply-chain attack, UNC4736 trojanized the Electron-based desktop client of video conferencing software maker 3CX in March 2023. They also breached the site of Trading Technologies, a stock trading automation company, to push trojanized X_TRADER software builds.

Google's Threat Analysis Group (TAG) had also linked AppleJeus to the compromise of Trading Technologies' website in a March 2022 report. The U.S. government has repeatedly warned about North Korean-backed state hackers targeting cryptocurrency-related companies and individuals with AppleJeus malware for years. Google patched the CVE-2024-7971 zero-day last week, describing it as a type confusion weakness in Chrome's V8 JavaScript engine.

This vulnerability allowed the threat actors to gain remote code execution in the sandboxed Chromium renderer process of targets redirected to an attacker-controlled website at voyagorclub[.]space. After escaping the sandbox, they used the compromised web browser to download a Windows sandbox escape exploit targeting the CVE-2024-38106 flaw in the Windows Kernel. This enabled them to gain SYSTEM privileges and download and load the FudModule rootkit into memory, which was used for kernel tampering and direct kernel object manipulation (DKOM), allowing them to bypass kernel security mechanisms.

The FudModule rootkit has been used since its discovery in October 2022 by Diamond Sleet, another North Korean hacking group with which Citrine Sleet shares other malicious tools and attack infrastructure. Microsoft released a security update addressing a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs in August 2023. "In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access," Microsoft stated.

One of the organizations targeted in attacks exploiting the CVE-2024-7971 Chrome zero-day was also previously targeted by another North Korean threat group tracked as BlueNoroff (or Sapphire Sleet).

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.