North Korean Hackers Exploit Chrome Zero-Day, Target Crypto Wallets
North Korean hackers are exploiting a zero-day vulnerability in Google Chrome to gain control over systems and seize victims’ crypto-assets.
Microsoft experts confirmed that the group Citrine Sleet (formerly DEV-0139) leveraged the zero-day CVE-2024-7971 to deploy the FudModule rootkit after obtaining SYSTEM privileges through a Windows kernel exploit. The primary target of these attacks is the cryptocurrency sector, where the hackers seek financial gain. Citrine Sleet has long been notorious for its assaults on financial institutions, particularly cryptocurrency organizations and their employees. The group has previously been linked to North Korean intelligence.
Citrine Sleet (also known as AppleJeus, Labyrinth Chollima, UNC4736) has repeatedly used fake websites disguised as legitimate cryptocurrency trading platforms. The hackers infected victims’ systems through counterfeit job applications or fraudulent wallets and trading apps. For instance, in March 2023, UNC4736 compromised the supply chain of the video conferencing software 3CX, leading to the breach of the X_TRADER software, designed for automating exchange trading.
Google’s Threat Analysis Group (TAG) also confirmed the link between AppleJeus and the compromise of the Trading Technologies website. The U.S. government has been warning for years about the risks posed by North Korean hackers, who target cryptocurrency companies and their employees using the AppleJeus malware.
A week ago, Google patched the zero-day vulnerability CVE-2024-7971, which stemmed from a “Type Confusion” error in the V8 JavaScript engine used in Chrome. The flaw allowed attackers to remotely execute code within Chromium’s sandbox, after which they could exploit CVE-2024-38106 in the Windows kernel. This attack enables hackers to obtain SYSTEM privileges and inject the FudModule rootkit into memory, which is used to manipulate kernel objects and bypass security mechanisms.
Since its discovery in October 2022, the FudModule rootkit has also been used by another North Korean hacker group, Diamond Sleet, which employs similar tools and infrastructure for their attacks. In August 2024, Microsoft released a security update addressing the CVE-2024-38193 vulnerability in the AFD.sys driver, which was also exploited by Diamond Sleet in their operations.
Microsoft further noted that one of the organizations targeted in the attack using the CVE-2024-7971 vulnerability had previously been attacked by another North Korean group, BlueNoroff (Sapphire Sleet). These developments underscore the ongoing and relentless activity of North Korean hackers, who continue to assault critical economic sectors in pursuit of financial gain and the advancement of their state’s interests.
