North Korean Hackers Exploited Chrome Zero-Day to Deploy Rootkit and Steal Crypto

• North Korean threat actor tracked as Citrine Sleet was seen exploiting two vulnerabilities in a crypto-stealing campaign.
• One was a Chromium zero-day, and the other a sandbox escape exploit, both of which are now fixed.
• The group targeted organizations that managed cryptocurrency and individuals connected to them.

Hackers tracked by Microsoft researchers as Citrine Sleet exploited a now-patched zero-day flaw in a core engine within Chromium to deploy a rootkit. The remote code execution (RCE) exploit for CVE-2024-7971 allowed the attackers to execute code within the sandboxed Chromium renderer process, according to the latest Microsoft security report.

After the successful RCE exploit, the group downloaded shellcode containing a now fixed Windows kernel CVE-2024-38106 sandbox escape exploit and the FudModule rootkit, which was created by the Lazarus APT group and previously associated with the North Korean threat group Diamond Sleet.

The threat actor distributed their unique Trojan malware via counterfeit websites that mimic legitimate cryptocurrency trading platforms (“voyagorclub[.]space”), where victims find fake job opportunities or download buttons for weaponized cryptocurrency wallets or trading apps.

Named AppleJeus, Citrine Sleet’s Trojan harvests data that can be used to gain control of the victim’s crypto assets.

The FudModule rootkit, which disrupts kernel security software through Direct Kernel Object Manipulation (DKOM) to evade detection, provides persistent backdoor access, allowing attackers to exfiltrate sensitive data or install additional malware. 

North Korea-based Citrine Sleet primarily targets financial institutions for financial gain, particularly cryptocurrency organizations and individuals, the report says. The group’s social engineering techniques include extensive reconnaissance of the cryptocurrency industry and connected individuals. 

Microsoft said it has notified “targeted and compromised customers,” but it did not provide more information on who was targeted or how many targets and victims this hacking campaign targeted. Google patched the bug two days later, on August 21.

The North Korean Lazarus APT group was seen abusing a now-patched zero-day flaw in the Windows Ancillary Function Driver for WinSock to elevate privileges, which allowed the attackers to install the FudModule rootkit.