North Korean Hackers Deploy FudModule Rootkit Using Chrome Zero-Day Exploit

A recently patched security vulnerability in Google Chrome and other Chromium-based browsers was exploited as a zero-day by North Korean hackers in a campaign aimed at delivering the FudModule rootkit.

This incident underscores the ongoing efforts by North Korean state-sponsored actors, who have increasingly incorporated various Windows zero-day exploits into their operations in recent months.

Microsoft detected the malicious activity on August 19, 2024, and attributed it to a threat group known as Citrine Sleet (previously DEV-0139 and DEV-1222), also referred to as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. Citrine Sleet is considered a subgroup of the larger Lazarus Group, also known as Diamond Sleet or Hidden Cobra.

It’s notable that the AppleJeus malware has also been linked by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), highlighting the shared infrastructure and tools among these threat actors.

“Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly those involved in cryptocurrency management, for financial gain,” according to the Microsoft Threat Intelligence team.

“As part of its social engineering efforts, Citrine Sleet has conducted thorough reconnaissance of the cryptocurrency industry and its associated individuals.”

The attack strategy typically involves creating fake websites that appear to be legitimate cryptocurrency trading platforms, designed to deceive users into installing malicious cryptocurrency wallets or trading applications that enable the theft of digital assets.

In the observed attack, Citrine Sleet exploited CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which could allow attackers to execute remote code in the sandboxed Chromium renderer process. Google patched this vulnerability in updates released last week.

As reported by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion vulnerability in V8 that Google has addressed this year, following CVE-2024-4947 and CVE-2024-5274.

Details about the extent of the attacks or the specific targets remain unclear, but victims were reportedly lured to a malicious website, voyagorclub[.]space, likely through social engineering, which then triggered the exploit for CVE-2024-7971.

The remote code execution (RCE) exploit facilitated the delivery of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to “gain admin-to-kernel access on Windows systems, allowing for read/write primitive functions and direct kernel object manipulation.”

CVE-2024-38106, a Windows kernel privilege escalation vulnerability, was one of six actively exploited security flaws patched by Microsoft in its August 2024 Patch Tuesday update. However, the exploitation linked to Citrine Sleet occurred after the patch was released.

“This might indicate a ‘bug collision,’ where the same vulnerability is independently discovered by different threat actors, or that knowledge of the vulnerability was shared among multiple actors,” Microsoft suggested.

CVE-2024-7971 is also the third vulnerability exploited by North Korean threat actors this year to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in two built-in Windows drivers (appid.sys and AFD.sys) that were patched by Microsoft in February and August.

“The CVE-2024-7971 exploit chain involves several components to successfully compromise a target, and the attack chain can be disrupted if any of these components are blocked, including CVE-2024-38106,” Microsoft noted.

“Defending against zero-day exploits requires not only keeping systems updated but also implementing security solutions that offer unified visibility across the entire cyberattack chain, enabling the detection and blocking of post-compromise attacker tools and malicious activities following exploitation.”