A Sophisticated Cyberattack Targeting Cryptocurrency Sector
North Korean hackers have successfully exploited a recently patched Google Chrome zero-day vulnerability (CVE-2024-7971) to deploy the FudModule rootkit. This attack, attributed to the North Korean threat actor known as Citrine Sleet (previously tracked as DEV-0139), targeted the cryptocurrency sector for financial gain.
The Attack Timeline
The attack unfolded in a series of steps:
- Exploiting the Chrome Zero-Day: The hackers exploited a type confusion vulnerability in Chrome’s V8 JavaScript engine (CVE-2024-7971). This allowed them to gain remote code execution within the sandboxed Chromium renderer process of targeted users who were redirected to a malicious website at voyagorclub[.]space.
- Escaping the Sandbox: After escaping the sandbox, the hackers utilized the compromised web browser to download a Windows sandbox escape exploit targeting the CVE-2024-38106 flaw in the Windows Kernel. This flaw, patched in the August 2024 Patch Tuesday updates, enabled the hackers to gain SYSTEM privileges.
- Deploying the FudModule Rootkit: The attackers then downloaded and loaded the FudModule rootkit into memory. This rootkit, known for its stealthy nature, facilitated kernel tampering and direct kernel object manipulation (DKOM), allowing the hackers to bypass kernel security mechanisms.
The FudModule Rootkit: A Powerful Tool for Cybercriminals
The FudModule rootkit, discovered in October 2022, has been used by multiple North Korean hacking groups, including Diamond Sleet. This rootkit provides full standard user-to-kernel access, enabling attackers to gain complete control over the compromised system.
Citrine Sleet: A Persistent Threat
Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, and UNC4736, is a well-known North Korean threat group that has been actively targeting financial institutions, particularly cryptocurrency organizations and individuals. They have been linked to Bureau 121 of North Korea’s Reconnaissance General Bureau.
The group has a history of using malicious websites disguised as legitimate cryptocurrency trading platforms to lure victims with fake job applications or weaponized cryptocurrency wallets and trading apps. They have also been involved in supply-chain attacks, such as the trojanization of the Electron-based desktop client of video conferencing software maker 3CX in March 2023 and the breach of Trading Technologies’ website in 2022.
The Importance of Patching and Security Awareness
This attack highlights the critical importance of keeping software up-to-date with the latest security patches. The Chrome zero-day vulnerability (CVE-2024-7971) was patched by Google in August 2024, and the Windows Kernel vulnerability (CVE-2024-38106) was patched during the same month’s Patch Tuesday updates.
Furthermore, users should be vigilant about suspicious websites, emails, and downloads, especially those related to cryptocurrency. It is crucial to exercise caution and avoid clicking on links or downloading files from unknown sources.
Conclusion
The exploitation of the Chrome zero-day vulnerability by Citrine Sleet underscores the growing sophistication of cyberattacks and the persistent threat posed by North Korean hackers. This attack serves as a stark reminder of the importance of maintaining strong cybersecurity practices, including regular patching, security awareness training, and robust security solutions.
