Key Takeaways
- A North Korean threat actor, Citrine Sleet, has been observed exploiting a zero-day vulnerability in Chromium, designated as CVE-2024-7971, to achieve Remote Code Execution (RCE).
- Citrine Sleet, also tracked by other security firms under the names AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau. The group primarily focuses on financial institutions, especially those involved with cryptocurrency, aiming for financial gain.
- The group’s tactics, techniques, and procedures (TTPs) have now been linked to the FudModule rootkit, which has also been associated with Diamond Sleet, another North Korean threat actor.
- Citrine Sleet creates fraudulent websites that mimic legitimate cryptocurrency trading platforms to distribute fake job applications or entice targets into downloading a compromised cryptocurrency wallet or trading application.
- The TA typically infects targets with its custom trojan malware, AppleJeus, designed to gather information necessary to take control of victims’ cryptocurrency assets.
Overview
The Citrine Sleet threat actor group was observed by Microsoft researchers exploiting the CVE-2024-7971 zero-day vulnerability in the V8 JavaScript and WebAssembly engine, which affects versions of Chromium prior to 128.0.6613.84. By exploiting this vulnerability, the attackers achieved remote code execution (RCE) within the sandboxed Chromium renderer process. Google has since released a patch for the vulnerability, on August 21, 2024, and users are advised to update to the latest version of Chromium to mitigate the risk.
Technical Analysis
The observed attack chain involved a typical browser exploit sequence, starting with targets being directed to a Citrine Sleet-controlled exploit domain, voyagorclub[.]space, through common social engineering tactics.
Once the users were connected, the zero-day RCE exploit for CVE-2024-7971 was deployed, allowing the attackers to download and load shellcode containing a Windows sandbox escape exploit and the FudModule rootkit into memory.
FudModule is an advanced rootkit malware designed to target kernel access while avoiding detection. Threat actors have been seen using the FudModule data-only rootkit to gain admin-to-kernel access on Windows-based systems, enabling read/write primitive operations and conducting Direct Kernel Object Manipulation (DKOM).
The attack chain seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971 closely mirrors the chain observed by Avast, which involves a variant of FudModule known as “FudModule 2.0.” This variant includes malicious loaders and a late-stage remote access trojan (RAT). The research identified the previously unknown Kaolin RAT as the malware responsible for deploying the FudModule rootkit on targeted devices.
Conclusion and Recommendations
CVE-2024-7971 is the third vulnerability this year that North Korean threat actors have exploited to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193. To address zero-day exploits effectively, it is crucial not only to keep systems updated but also to use security solutions that offer comprehensive visibility across the cyberattack chain to detect and block attacker tools and malicious activities after exploitation.
To mitigate the risks posed by Citrine Sleet and similar threats, the following best practices are recommended:
- Activate the automatic software update function on your computer, mobile device, and any other linked devices when feasible and practical.
- Employ a trusted antivirus solution and internet security software suite on all connected devices, such as your PC, laptop, and mobile phone.
- Conduct consistent vulnerability assessments to maintain proactive security.
- Always use multi-factor authentication on accounts to lessen the risk of takeover.
