A North Korean threat actor has been observed exploiting a recently disclosed zero-day vulnerability in the Chromium browser, tracked as CVE-2024-7971, to gain remote code execution (RCE). The activity is believed to be part of a broader campaign targeting the cryptocurrency sector for financial gain.

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, affecting Chromium versions prior to 128.0.6613.84. Exploiting this vulnerability allows attackers to gain RCE in the sandboxed Chromium renderer process, potentially compromising user systems. Google addressed the vulnerability with a security patch released on August 21, 2024. On the same note, Google updated its security advisory last week to warn of the active exploitation of CVE-2024-7965, an incorrect implementation issue in V8 in Google Chrome that could be used by a remote attacker for system compromise. The vendor said that in the wild exploitation of CVE-2024-7965 was reported after the initial release on August 21, 2024.

Researchers at Microsoft’s threat intelligence unit have attributed the attack exploiting CVE-2024-7971 to a threat actor it tracks as Citrine Sleet. THe group, also referred to as AppleJeus, Labyrinth Chollima, and Hidden Cobra, is linked to North Korea’s Reconnaissance General Bureau 121. The group has a well-documented history of cyberattacks against cryptocurrency exchanges, financial institutions, and gaming companies.

Citrine Sleet’s tactics involve extensive reconnaissance of the cryptocurrency industry, often using social engineering to lure targets. The group has been known to create fake websites mimicking legitimate cryptocurrency trading platforms. These sites are used to distribute malicious software, such as weaponized cryptocurrency wallets or trading applications.

In the recent campaign, the threat actor has been observed exploiting the now patched Chromium zero-day to deploy the FudModule rootkit, a sophisticated piece of malware attributed to both Citrine Sleet and another North Korean threat actor known as Diamond Sleet. Microsoft previously identified shared infrastructure and tools between these two groups, suggesting the FudModule rootkit may be a shared resource.

The FudModule rootkit is designed to gain kernel access while evading detection. It employs advanced techniques such as Direct Kernel Object Manipulation (DKOM) to tamper with kernel security mechanisms, establishing admin-to-kernel access and performing unauthorized operations at the kernel level. Previously, FudModule was observed in attacks by the well-known North Korean hacking outfit Lazarus Group exploiting Windows zero-day flaws.

The attack began with Citrine Sleet directing targets to a malicious domain, voyagorclub[.]space, under their control. Once the victim accessed the malicious domain, the zero-day exploit for CVE-2024-7971 was delivered, enabling the attackers to execute code within the Chromium renderer process. A shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was then downloaded and loaded into memory.

The sandbox escape exploited another vulnerability, CVE-2024-38106, in the Windows kernel. While this vulnerability was patched by Microsoft on August 13, 2024, there is no direct evidence linking the reported exploit activity of CVE-2024-38106 to Citrine Sleet, suggesting a potential "bug collision" or shared knowledge of the vulnerability among different threat actors.

Once the sandbox escape was successful, the FudModule rootkit executed in memory, manipulating the kernel to maintain persistence and control over the compromised system.

“The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106,” Microsoft said urging organizations that have not implemented the fixes yet to do so as soon as possible.