On August 19, Microsoft identified a North Korean threat actor it tracks as “Citrine Sleet,” (aka “Labyrinth Chollima”) exploiting a zero-day vulnerability in Chromium, CVE-2024-7971. This vulnerability, which has since been patched by Google, allowed the attacker to gain remote code execution (RCE) capabilities, targeting the cryptocurrency sector for financial gain. The exploitation of this vulnerability highlights the ongoing risks posed by state-sponsored cyber actors, particularly in the digital financial domain.
Citrine Sleet, also known by other names such as AppleJeus, Labyrinth Chollima, and Hidden Cobra, is linked to North Korea’s Bureau 121. The group has a history of targeting cryptocurrency exchanges, financial institutions, and gaming companies. They typically use social engineering techniques, including fake job offers and compromised cryptocurrency trading platforms, to lure victims into downloading malicious software.
Discovery and attribution
Microsoft's Threat Intelligence Center (MSTIC) discovered the exploitation of CVE-2024-7971, a type confusion flaw in Chromium's V8 JavaScript and WebAssembly engine. The vulnerability impacted versions of Chromium prior to 128.0.6613.84 and allowed attackers to execute arbitrary code within the browser's sandboxed renderer process. Microsoft assessed with high confidence that Citrine Sleet, a North Korean group, was behind the attack. Citrine Sleet has a history of targeting financial institutions, particularly those involved in cryptocurrency, to fund the North Korean regime.
Citrine Sleet’s activities are closely related to those of another North Korean group, Diamond Sleet. The rootkit used in the attack, known as FudModule, has been previously associated with Diamond Sleet, indicating shared tools and infrastructure between the two groups. Microsoft's analysis suggests a possible collaboration or overlap between these entities.
Exploitation details
CVE-2024-7971 is the third type confusion vulnerability in Chromium's V8 engine exploited this year, following CVE-2024-4947 and CVE-2024-5274. The vulnerability was leveraged by Citrine Sleet in a sophisticated attack chain. The group directed victims to a malicious domain, voyagorclub[.]space, where the RCE exploit was deployed. The attack did not stop at browser exploitation; it further exploited CVE-2024-38106, a Windows kernel vulnerability patched on August 13, 2024, to escape the sandbox environment and install the FudModule rootkit.
FudModule is a particularly advanced rootkit that manipulates kernel objects directly to disrupt security mechanisms on the affected systems. It executes from user mode, a rarity for such powerful malware, and employs techniques like direct kernel object manipulation (DKOM) to evade detection while maintaining persistent access. Notably, this rootkit has been in use since October 2021 and has evolved significantly, with newer versions being more difficult to detect and more capable in terms of stealth and persistence.
Mitigation tips
In response to the discovery, Google quickly released a patch for CVE-2024-7971 on August 21, 2024, in Chrome version 128.0.6613.84. Users are strongly advised to update their browsers to this latest version to protect against potential exploitation. Microsoft has also notified affected customers directly and provided detailed mitigation guidance.
To defend against such threats, users and organizations should:
- Ensure all systems, including browsers and operating systems, are regularly updated.
- Deploy advanced threat detection solutions like Microsoft Defender for Endpoint.
- Monitor for indicators of compromise (IOCs) associated with Citrine Sleet and FudModule.
- Educate employees about the risks of social engineering and phishing, particularly in sectors like cryptocurrency that are frequent targets.
Lookiero Suffers Data Breach Exposing Personal Data of 5 Million Users
Leave a Reply