North Korean hackers have exploited a just lately patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges utilizing a Home windows Kernel exploit.
“We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain,” Microsoft stated on Friday, attributing the assaults to Citrine Sleet (beforehand tracked as DEV-0139).
Different cybersecurity distributors monitor this North Korean menace group as AppleJeus, Labyrinth Chollima, and UNC4736, whereas the U.S. authorities collectively refers to malicious actors sponsored by the North Korean authorities as Hidden Cobra.
Citrine Sleet targets monetary establishments, specializing in cryptocurrency organizations and related people, and has been beforehand linked to Bureau 121 of North Korea’s Reconnaissance Common Bureau.
The North Korean hackers are additionally identified for utilizing malicious web sites camouflaged as reputable cryptocurrency buying and selling platforms to contaminate potential victims with pretend job purposes or weaponized cryptocurrency wallets or buying and selling apps.
UNC4736 trojanized the Electron-based desktop consumer of video conferencing software program maker 3CX in March 2023, following a earlier supply-chain assault wherein they breached the positioning of Buying and selling Applied sciences, a inventory buying and selling automation firm, to push trojanized X_TRADER software program builds.
Google’s Menace Evaluation Group (TAG) additionally linked AppleJeus to the compromise of Buying and selling Applied sciences’ web site in a March 2022 report. The U.S. authorities additionally warned about North Korean-backed state hackers concentrating on cryptocurrency-related corporations and people with AppleJeus malware for years.
Home windows Kernel downloaded in Chrome zero-day assault
Google patched the CVE-2024-7971 zero-day final week, describing it as a sort confusion weak point in Chrome’s V8 JavaScript engine. This vulnerability enabled the menace actors to achieve distant code execution within the sandboxed Chromium renderer means of targets redirected to an attacker-controlled web site at voyagorclub[.]area.
After escaping the sandbox, they used the compromised net browser to obtain a Home windows sandbox escape exploit concentrating on the CVE-2024-38106 flaw within the Home windows Kernel (mounted throughout this month’s Patch Tuesday), which enabled them to achieve SYSTEM privileges.
The menace actors additionally downloaded and loaded the FudModule rootkit into reminiscence, which was used for kernel tampering and direct kernel object manipulation (DKOM) and allowed them to bypass kernel safety mechanisms.
Since its discovery in October 2022, this rootkit has additionally been utilized by Diamond Sleet, one other North Korean hacking group with which Citrine Sleet shares different malicious instruments and assault infrastructure.
“On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs,” Microsoft stated on Friday.
“In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access.”
Redmond added that one of many organizations focused in assaults exploiting the CVE-2024-7971 Chrome zero-day was additionally beforehand focused by one other North Korean menace group tracked as BlueNoroff (or Sapphire Sleet).
