Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

North Korean Hackers Tied to Exploits of Chromium Zero-Day

Cryptocurrency Users Targeted in Latest Campaign Involving FudModule Rootkit
North Korean Hackers Tied to Exploits of Chromium Zero-Day
North Korea's "Monument to Party Founding" in Pyongyang. (Image: Peter Anta/Pixabay)

A hacking group tied to North Korea exploited a zero-day vulnerability in the open source Google Chromium web browser to try and steal cryptocurrency.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

So warns Microsoft in a new report, detailing the financially motivated campaign, which exploited a now-patched flaw in V8 - Google's open source, high-performance JavaScript and WebAssembly engine, which is written in C++.

Now tracked as CVE-2024-7971, the flaw can be exploited to remotely execute code on a targeted system, and exists in versions of Chromium prior to 128.0.6613.84, which began to get rolled out Aug. 21.

Microsoft's Security Response Center notified Google about the flaw on Aug. 19. Google rated the severity of the vulnerability as "high," since it can be used to remotely execute arbitrary code.

Microsoft attributes the campaign it saw targeting the vulnerability to a threat actor it codenamed Citrine Sleet, which is also known as AppleJeus, Labyrinth Chollima, UNC4736 and Hidden Cobra. The financially motivated group has been linked to North Korea's cyber operations agency, Bureau 121, which is part of the military's Reconnaissance General Bureau.

In this campaign, the attackers used fake websites and job applications to lure targets into downloading either a malicious cryptocurrency wallet or trading application, Microsoft said.

Anyone who fell for the lure would get redirected to an attacker-controlled domain designed to remotely exploit the vulnerability to install a rootkit called FudModule that runs in-memory on the targeted device. The rootkit also attempted to exploit a Windows kernel privilege escalation vulnerability tracked as CVE-2024-38106, to allow it to escape a Windows sandbox.

"Once the sandbox escape exploit was successful, the rootkit employs direct kernel object manipulation techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive," said Microsoft, which released a software update on Aug. 13 to patch that vulnerability.

The researchers didn't detail how many individuals or organizations got targeted or fell victim to the cryptocurrency-targeting campaign.

FudModule is a sophisticated piece of malware that has been linked to multiple North Korean hacking campaigns groups since at least October 2021.

Last month, Microsoft warned that North Korean attackers were exploiting a different zero-day vulnerability in the Windows Ancillary Function Driver - Afd.sys - for WinSock, tracked as CVE-2024-38193, to sneak FudModule onto targeted systems. The group's attacks often involve "bring your own vulnerable driver" - aka BYOVD - tactics to introduce known vulnerabilities they can exploit and install malware (see: North Korea Exploited Windows Zero-Day to Deploy Fudmodule).

The group executed one such campaign in the summer of 2023, "targeting specific individuals in the Asian region through fabricated job offers," Gen Digital's Avast antivirus software unit reported in April.

One objective of those multi-stage attacks, which targeted a different zero-day vulnerability in Windows, was to drop a never-before-seen remote access Trojan codenamed Kaolin onto victims' systems, which then loaded FudModule, it said. Avast attributed the campaign to North Korea's Lazarus advanced-persistent threat group.

Microsoft tracks the group involved in that campaign as Diamond Sleet, and notes that while that cluster of threat activity has differences with Citrine Sleet, it's "previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors."

After spotting signs of the latest campaign, Microsoft said it "directly notified targeted or compromised customers, providing them with important information to help secure their environments."

More Chromium Flaws Under Fire

In its latest major Chromium release, which is version 128, Google fixed a total of 38 separate security flaws.

Another one of those security flaws involved a high-risk confusion vulnerability, also in the V8 engine, "that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page," said the U.S. Cybersecurity and Infrastructure Security Agency. Tracked as CVE-2024-7965, Google warned Aug. 20 that the vulnerability was already being exploited via in-the-wild attacks.

CISA on Wednesday added the flaw to its catalog of known exploited vulnerabilities and set a Sept. 18 deadline for all civilian federal agencies to fix the flaw. "This vulnerability could affect multiple web browsers that utilize Chromium, including - but not limited to - Google Chrome, Microsoft Edge and Opera," it said.

The flaw was discovered by a security researcher known as "TheDog" on July 30 and reported to Google.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.