A zero-day flaw in open source browser, Chromium, which was patched recently, was exploited by a financially motivated North Korean threat actor, Citrine Sleet, to deliver the FudModule rootkit.
The vulnerability, tracked as CVE-2024-7971, is a type confusion flaw in the V8 JavaScript and WebAssembly engine that received a critical rating of CVSS 8.8 out of 10.
“On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium to gain remote code execution (RCE),” said a Microsoft Threat Intelligence report. “Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet.”
The report added that the FudModule rootkit has historically been shared between Citrine Sleet and Diamond Sleet (formerly Zinc), another North Korean threat actor known to target media, defense, and information technology (IT) industries globally.
RCE to deliver FudModule
The report explained that victims were directed to a Citrine Sleet-controlled exploit domain voyagorclub[.]space. While the exact method used for directing the victims is unknown, Social Engineering is suspected as it is a common Citrine Sleet technique. Once a target is connected to the domain, the zero-day RCE exploit for CVE-2024-7971 is achieved.
“After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory,” Microsoft added in the report.
The sandbox escape exploit (CVE-2024-38106) used in the process is a Windows Kernel vulnerability Microsoft fixed on August 13.
After the sandbox escape exploit succeeded, the main FudModule rootkit ran in memory. This rootkit uses direct kernel object manipulation (DKOM) to interfere with kernel security, operates only from user mode, and modifies the kernel using a kernel read/write capability, Microsoft added.
Citrine Sleet is financially motivated
Citrine Sleet, also tracked as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is a financially motivated threat actor primarily targeting organizations and individuals managing cryptocurrency, for financial gain.
“As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it,” the report added.“The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.”
The threat actor was previously linked to the 3CX supply chain attack affecting six million customers. For the attack, Citrine Sleet had used a trojanized X-TRADER application for malware delivery and info-stealing, and had additionally used the kit to breach two critical infrastructure organizations in the energy sector.
Microsoft has recommended swift patching of both CVE-2024-7971 and CVE-2024-38106 to protect against Citrine Sleet exploitations.
