A recent cyber attack orchestrated by a North Korean threat actor has raised concerns within the cybersecurity community. The attack exploited a zero-day vulnerability in Google’s Chromium browser to deploy the FudModule rootkit, with a primary focus on targeting cryptocurrency firms for financial gain.
Microsoft, a prominent player in the cybersecurity space, uncovered this sophisticated cyber operation attributed to a group known as Citrine Sleet. This threat actor leveraged a zero-day vulnerability, tracked as CVE-2024-7971, to execute their malicious activities. The attack, specifically aimed at the cryptocurrency sector, highlighted the evolving tactics of state-sponsored hacking groups.
Citrine Sleet, with a history of targeting financial institutions, utilized a type confusion vulnerability in the V8 JavaScript and WebAssembly engine to breach versions of Chromium before 128.0.6613.84. The attackers initiated the operation by luring victims to a malicious domain, voyagorclub[.]space, where they deployed a zero-day RCE exploit to gain access to the sandboxed Chromium renderer process.
Once inside the target systems, Citrine Sleet deployed the FudModule rootkit, a malicious tool designed to disrupt kernel security mechanisms through Direct Kernel Object Manipulation (DKOM). This rootkit enabled persistent backdoor access to compromised systems, facilitating the theft of sensitive data and the deployment of additional malware. Notably, the FudModule rootkit has been linked to another North Korean threat group, Diamond Sleet, hinting at potential collaboration between these state-sponsored actors.
The attack further exploited a vulnerability, CVE-2024-38106, in the Windows kernel to escape the browser’s sandbox and gain deeper control over the system. Despite Microsoft patching this kernel vulnerability shortly before the attack’s discovery, the threat actors managed to exploit it effectively, underscoring their preparedness and technical capabilities.
The FudModule rootkit, primarily associated with the Lazarus Group, represents a sophisticated malware tool with advanced features aimed at enhancing stealth and functionality. Its evolution includes exploiting a zero-day vulnerability in the AppLocker driver to achieve kernel-level access, utilizing advanced techniques like handle table entry manipulation and DKOM, and focusing on stealth enhancements to evade detection by security solutions.
Recommendations from Microsoft emphasize the importance of immediate system updates, particularly for Chromium-based browsers, to mitigate risks associated with the exploited vulnerabilities. Organizations are urged to deploy robust security solutions, educate employees on phishing and social engineering risks, implement network segmentation, and monitor network traffic to bolster their defenses against similar attacks.
In an era where cyber threats continue to evolve, the collaboration between threat actors and the sophistication of their tactics highlight the critical need for proactive cybersecurity measures. By implementing the recommended mitigations and staying vigilant against emerging threats, organizations can significantly reduce their susceptibility to malicious activities orchestrated by state-sponsored hacking groups like Citrine Sleet.