North Korean Hackers

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.

The development is indicative of the persistent efforts made by the nation-state adversary, which has made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).

It's worth mentioning that the use of the AppleJeus malware has also been previously attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.

Cybersecurity

"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.

"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."

The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.

The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.

As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.

It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub[.]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.

The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to "establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform [direct kernel object manipulation]."

Cybersecurity

CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.

"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.

CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in two built-in Windows drivers (appid.sys and AFD.sys) and were fixed by Microsoft in February and August.

"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.

"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."

Update

Gen Digital, in an analysis published on September 19, 2024, detailed an updated version of the FudModule rootkit (FudModule v3.0) that, unlike previous instances that employed variations of the Bring Your Own Vulnerable Driver (BYOVD) technique, exploits a flaw in the AFD.sys driver (CVE-2024-38193) achieve read/write access in kernel space.

It also comes up with capabilities to disable crash dumps and inject shellcode, effectively turning the rootkit into a stager for another payload. "The process involves two consecutive shellcode injections into different processes: one into services.exe and the other into msiexec.exe," researcher Luigino Camastra said.

(The story was updated after publication on October 23, 2024, to include information about a new version of FudModule.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.