North Korean hackers exploit Chrome zero-day to target crypto users


North Korean hackers are at it again. This time, they’re deploying a dangerous rootkit and running remote code by chaining Chromium and Windows kernel vulnerabilities to escape the browser’s security sandbox. According to Microsoft research, all they need is for the victim to visit the website.

North Korean threat actor Citrine Sleet has long been known to create fake websites masquerading as crypto trading platforms. Hackers use them to send fake job applications or lure victims into downloading malicious cryptocurrency wallets or trading applications.

On August 19th, Microsoft identified Citrine Sleet using a new zero-day vulnerability affecting Chrome and other Chromium-based browsers. The flaw allowed hackers to bypass the browser’s restrictions and run remote code in the Chromium renderer process.

ADVERTISEMENT

The hackers had some time to reign without the introduction of a patch. Google eventually released a fix for the vulnerability on August 21st, 2024, and everyone should ensure they’re using the latest browser version.

How does the attack work?

The attack chain is sophisticated as it relies on multiple components to compromise a single target and fails if any of the components are blocked or detected.

Firstly, Citrine Sleet lures its victims to visit a new exploit website, Voyagerclub [.]space. The threat actor often uses social engineering to achieve this.

If a victim connects to the malicious domain, it will serve the zero-day remote code execution (RCE) exploit for CVE-2024-7971. This is the third exploited high-severity type-confusion vulnerability in the V8 Javascript engine that has been patched this year.

The V8 executes JavaScript code on websites. The so-called “type confusion” vulnerability means that attackers can pass an incompatible type of resource to an engine, leading to logical errors and memory corruption.

This allowed the North Korean attackers to run remote code with another now-patched exploit of the Windows kernel vulnerability. The exploit installed the rootkit called FudModule, which has been used since at least October 2021.

“FudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection,” Microsoft said in its report.

ADVERTISEMENT

The cybercriminals used other tools to establish secure encrypted connections with command and control servers and execute a “robust list of commands” for downloading and uploading files.

“Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it,” Microsoft said.

“Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets.”

Microsoft said it has directly notified targeted or compromised customers, providing them with important information to help secure their environments.