Key Takeaways
- A North Korean risk actor, Citrine Sleet, has been noticed exploiting a zero-day vulnerability in Chromium, designated as CVE-2024-7971, to attain Distant Code Execution (RCE).
- Citrine Sleet, additionally tracked by different safety corporations beneath the names AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is attributed to Bureau 121 of North Korea’s Reconnaissance Normal Bureau. The group primarily focuses on monetary establishments, particularly these concerned with cryptocurrency, aiming for monetary achieve.
- The group’s ways, methods, and procedures (TTPs) have now been linked to the FudModule rootkit, which has additionally been related to Diamond Sleet, one other North Korean risk actor.
- Citrine Sleet creates fraudulent web sites that mimic reputable cryptocurrency buying and selling platforms to distribute faux job purposes or entice targets into downloading a compromised cryptocurrency pockets or buying and selling software.
- The TA usually infects targets with its customized trojan malware, AppleJeus, designed to assemble info essential to take management of victims’ cryptocurrency belongings.
Overview
The Citrine Sleet risk actor group was noticed by Microsoft researchers exploiting the CVE-2024-7971 zero-day vulnerability within the V8 JavaScript and WebAssembly engine, which impacts variations of Chromium previous to 128.0.6613.84. By exploiting this vulnerability, the attackers achieved distant code execution (RCE) inside the sandboxed Chromium renderer course of. Google has since launched a patch for the vulnerability, on August 21, 2024, and customers are suggested to replace to the newest model of Chromium to mitigate the chance.
Technical Evaluation
The noticed assault chain concerned a typical browser exploit sequence, beginning with targets being directed to a Citrine Sleet-controlled exploit area, voyagorclub[.]house, via widespread social engineering ways.
As soon as the customers had been linked, the zero-day RCE exploit for CVE-2024-7971 was deployed, permitting the attackers to obtain and cargo shellcode containing a Home windows sandbox escape exploit and the FudModule rootkit into reminiscence.
FudModule is a complicated rootkit malware designed to focus on kernel entry whereas avoiding detection. Menace actors have been seen utilizing the FudModule data-only rootkit to achieve admin-to-kernel entry on Home windows-based techniques, enabling learn/write primitive operations and conducting Direct Kernel Object Manipulation (DKOM).
The assault chain seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971 intently mirrors the chain noticed by Avast, which entails a variant of FudModule often called “FudModule 2.0.” This variant contains malicious loaders and a late-stage distant entry trojan (RAT). The analysis recognized the beforehand unknown Kaolin RAT because the malware chargeable for deploying the FudModule rootkit on focused units.
Conclusion and Suggestions
CVE-2024-7971 is the third vulnerability this 12 months that North Korean risk actors have exploited to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193. To handle zero-day exploits successfully, it’s essential not solely to maintain techniques up to date but in addition to make use of safety options that supply complete visibility throughout the cyberattack chain to detect and block attacker instruments and malicious actions after exploitation.
To mitigate the dangers posed by Citrine Sleet and related threats, the next finest practices are beneficial:
- Activate the automated software program replace perform in your pc, cellular machine, and every other linked units when possible and sensible.
- Make use of a trusted antivirus resolution and web safety software program suite on all linked units, corresponding to your PC, laptop computer, and cell phone.
- Conduct constant vulnerability assessments to take care of proactive safety.
- All the time use multi-factor authentication on accounts to minimize the chance of takeover.
