North Korean hackers have exploited a just lately patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges utilizing a Home windows Kernel exploit.
“We assess with excessive confidence that the noticed exploitation of CVE-2024-7971 may be attributed to a North Korean menace actor focusing on the cryptocurrency sector for monetary acquire,” Microsoft mentioned on Friday, attributing the assaults to Citrine Sleet (beforehand tracked as DEV-0139).
Different cybersecurity distributors observe this North Korean menace group as AppleJeus, Labyrinth Chollima, and UNC4736, whereas the U.S. authorities collectively refers to malicious actors sponsored by the North Korean authorities as Hidden Cobra.
Citrine Sleet targets monetary establishments, specializing in cryptocurrency organizations and related people, and has been beforehand linked to Bureau 121 of North Korea’s Reconnaissance Common Bureau.
The North Korean hackers are additionally recognized for utilizing malicious web sites camouflaged as respectable cryptocurrency buying and selling platforms to contaminate potential victims with faux job purposes or weaponized cryptocurrency wallets or buying and selling apps.
UNC4736 trojanized the Electron-based desktop consumer of video conferencing software program maker 3CX in March 2023, following a earlier supply-chain assault through which they breached the location of Buying and selling Applied sciences, a inventory buying and selling automation firm, to push trojanized X_TRADER software program builds.
Google’s Menace Evaluation Group (TAG) additionally linked AppleJeus to the compromise of Buying and selling Applied sciences’ web site in a March 2022 report. The U.S. authorities additionally warned about North Korean-backed state hackers focusing on cryptocurrency-related firms and people with AppleJeus malware for years.
Home windows Kernel downloaded in Chrome zero-day assault
Google patched the CVE-2024-7971 zero-day final week, describing it as a sort confusion weak point in Chrome’s V8 JavaScript engine. This vulnerability enabled the menace actors to realize distant code execution within the sandboxed Chromium renderer technique of targets redirected to an attacker-controlled web site at voyagorclub[.]area.
After escaping the sandbox, they used the compromised net browser to obtain a Home windows sandbox escape exploit focusing on the CVE-2024-38106 flaw within the Home windows Kernel (mounted throughout this month’s Patch Tuesday), which enabled them to realize SYSTEM privileges.
The menace actors additionally downloaded and loaded the FudModule rootkit into reminiscence, which was used for kernel tampering and direct kernel object manipulation (DKOM) and allowed them to bypass kernel safety mechanisms.
Since its discovery in October 2022, this rootkit has additionally been utilized by Diamond Sleet, one other North Korean hacking group with which Citrine Sleet shares different malicious instruments and assault infrastructure.
“On August 13, Microsoft launched a safety replace to handle a zero-day vulnerability within the AFD.sys driver in Home windows (CVE-2024-38193) recognized by Gen Menace Labs,” Microsoft mentioned on Friday.
“In early June, Gen Menace Labs recognized Diamond Sleet exploiting this vulnerability in an assault using the FudModule rootkit, which establishes full customary user-to-kernel entry, advancing from the beforehand seen admin-to-kernel entry.”
Redmond added that one of many organizations focused in assaults exploiting the CVE-2024-7971 Chrome zero-day was additionally beforehand focused by one other North Korean menace group tracked as BlueNoroff (or Sapphire Sleet).