A North Korean hacking group identified as Citrine Sleet, reportedly exploited a previously undiscovered vulnerability in the Chrome browser to target organizations involved in the cryptocurrency sector, said Microsoft. This attack, which occurred in mid-August, is the latest in a series of cyber operations linked to North Korea, more alarmingly linked to cryptocurrencies.
The attack was centered around a critical vulnerability within Chromium, the open-source engine that underpins Google Chrome, Microsoft Edge, and other major web browsers. The flaw, which has been assigned the identifier CVE-2024-7971, was found in Chrome’s V8 JavaScript engine—a core component responsible for executing JavaScript code. The nature of this vulnerability, classified as a type confusion issue, allowed attackers to manipulate the way memory was allocated within the browser. This enabled the hackers to execute arbitrary code within the browser’s sandbox, effectively bypassing the security measures intended to protect users from malicious activities.
Subscribe to TP Daily for updates on the latest and greatest in Tech
The vulnerability was categorized as a zero-day, meaning it was unknown to the software’s developers, leaving them with no time to address it before it was exploited. Microsoft’s cybersecurity team first observed the malicious activity on August 19, 2024, and promptly reported the issue to Google. In response, Google swiftly released a patch on August 21.
The group behind the attack, Citrine Sleet, is believed to operate under the auspices of North Korea’s Reconnaissance General Bureau, particularly within its cyber warfare division, Bureau 121. Citrine Sleet is known for its aggressive targeting of financial institutions, especially those dealing in cryptocurrency. Citrine Sleet, also tracked by other cybersecurity firms under different names such as AppleJeus and UNC4736, employs a range of sophisticated techniques to infiltrate and compromise their targets. According to Microsoft’s report, the group often creates fake websites that mimic legitimate cryptocurrency trading platforms. These sites are used as a lure to trick unsuspecting users into downloading malware disguised as job applications or cryptocurrency wallets. Once the malware, often in the form of the AppleJeus trojan, is installed, it allows the hackers to seize control of the victims’ cryptocurrency assets.
Subscribe to TP Daily for updates on the latest and greatest in Tech
The newest attack began with Citrine Sleet’s exploitation of the Chrome zero-day vulnerability, but it did not end there. After gaining initial access through the browser, the hackers used another vulnerability within the Windows operating system to further their attack. This second flaw, identified as CVE-2024-38106, was located within the Windows Kernel and allowed the hackers to escalate their privileges to gain SYSTEM-level access.
With this elevated access, the hackers were able to install a rootkit known as FudModule. A rootkit is a particularly insidious form of malware that operates with deep access to a computer’s operating system, often remaining undetected while providing attackers with full control over the infected machine. FudModule, in particular, is designed to tamper with Windows’ kernel, bypassing standard security mechanisms and allowing the hackers to maintain persistent access to the compromised system. Microsoft’s report also noted that FudModule is not exclusive to Citrine Sleet. The rootkit has previously been linked to another North Korean hacking group, Diamond Sleet, suggesting a shared toolkit among various state-sponsored actors within North Korea.
Subscribe to TP Daily for updates on the latest and greatest in Tech