North Korean hackers have exploited a just lately patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges utilizing a Home windows Kernel exploit.
“We assess with excessive confidence that the noticed exploitation of CVE-2024-7971 may be attributed to a North Korean menace actor concentrating on the cryptocurrency sector for monetary achieve,” Microsoft mentioned on Friday, attributing the assaults to Citrine Sleet (beforehand tracked as DEV-0139).
Different cybersecurity distributors monitor this North Korean menace group as AppleJeus, Labyrinth Chollima, and UNC4736, whereas the U.S. authorities collectively refers to malicious actors sponsored by the North Korean authorities as Hidden Cobra.
Citrine Sleet targets monetary establishments, specializing in cryptocurrency organizations and related people, and has been beforehand linked to Bureau 121 of North Korea’s Reconnaissance Common Bureau.
The North Korean hackers are additionally identified for utilizing malicious web sites camouflaged as professional cryptocurrency buying and selling platforms to contaminate potential victims with faux job purposes or weaponized cryptocurrency wallets or buying and selling apps.
UNC4736 trojanized the Electron-based desktop shopper of video conferencing software program maker 3CX in March 2023, following a earlier supply-chain assault through which they breached the location of Buying and selling Applied sciences, a inventory buying and selling automation firm, to push trojanized X_TRADER software program builds.
Google’s Menace Evaluation Group (TAG) additionally linked AppleJeus to the compromise of Buying and selling Applied sciences’ web site in a March 2022 report. The U.S. authorities additionally warned about North Korean-backed state hackers concentrating on cryptocurrency-related firms and people with AppleJeus malware for years.
Home windows Kernel downloaded in Chrome zero-day assault
Google patched the CVE-2024-7971 zero-day final week, describing it as a kind confusion weak spot in Chrome’s V8 JavaScript engine. This vulnerability enabled the menace actors to achieve distant code execution within the sandboxed Chromium renderer technique of targets redirected to an attacker-controlled web site at voyagorclub[.]area.
After escaping the sandbox, they used the compromised internet browser to obtain a Home windows sandbox escape exploit concentrating on the CVE-2024-38106 flaw within the Home windows Kernel (mounted throughout this month’s Patch Tuesday), which enabled them to achieve SYSTEM privileges.
The menace actors additionally downloaded and loaded the FudModule rootkit into reminiscence, which was used for kernel tampering and direct kernel object manipulation (DKOM) and allowed them to bypass kernel safety mechanisms.
Since its discovery in October 2022, this rootkit has additionally been utilized by Diamond Sleet, one other North Korean hacking group with which Citrine Sleet shares different malicious instruments and assault infrastructure.
“On August 13, Microsoft launched a safety replace to handle a zero-day vulnerability within the AFD.sys driver in Home windows (CVE-2024-38193) recognized by Gen Menace Labs,” Microsoft mentioned on Friday.
“In early June, Gen Menace Labs recognized Diamond Sleet exploiting this vulnerability in an assault using the FudModule rootkit, which establishes full commonplace user-to-kernel entry, advancing from the beforehand seen admin-to-kernel entry.”
Redmond added that one of many organizations focused in assaults exploiting the CVE-2024-7971 Chrome zero-day was additionally beforehand focused by one other North Korean menace group tracked as BlueNoroff (or Sapphire Sleet).