North Korean hackers exploited a zero-day vulnerability in Google Chrome to take control of systems and seize control over the cryptocurrencies of victims.
According to Microsoft, the Citrine Sleet group (formerly known as DEV-0139) utilized the Zero-Day CVE-2024-7971 to deploy the Fudmodule Route after obtaining system privileges through the exploit in the Windows core. The primary target of these attacks is the cryptocurrency sector, where hackers aim to gain financial advantages. This group has a history of targeting financial institutions, specifically cryptocurrency organizations and their employees, and has been linked to North Korean intelligence.
The Citrine Sleet group, also known as Applejeus, Labyrinth Chollima, and Unc4736, has been known to use fake websites disguised as legitimate cryptocurrency trading platforms. They infect victims’ systems through fake work applications or counterfeit wallets and trading apps. For instance, in March 2023, UNC4736 compromised the 3CX video conferences program, leading to the hacking of X_TRADER software for exchange trading automation.
The Google Threat Analysis Group (TAG) also confirmed that the Applejeus group compromised the Trading Technologies site. The American government has long warned about the risks posed by North Korean hackers targeting cryptocurrency companies and their employees using Applejeus malware.
Recently, Google patched the zero-day vulnerability, CVE-2024-7971, which involved a Type Confusion error in the V8 JavaScript engine in Chrome. This error allowed attackers to remotely execute code in the Chromium browser sandbox, enabling them to load exploit CVE-2024-38106 in the Windows core. This attack grants hackers system privileges to introduce Fudmodule Rutkin into memory, manipulating kernel objects and bypassing security mechanisms.
Since its discovery in October 2022, Fudmodule Rutkin has also been used by another North Korean hacker group, Diamond Sleet, which employs similar tools and infrastructure for attacks. Microsoft released a security update in August 2024 to address the vulnerability of CVE-2024-38193 in the AFD.Sys driver, previously exploited by Diamond Sleet.
Microsoft also noted that an organization targeted in the CVE-2024-7971 exploit was previously attacked by another North Korean group, Bluenoroff (Sapphire Sleet