North Korean Hackers Deploy FudModule Rootkit through Chrome Zero-Day Exploit
A lately patched safety flaw in Google Chrome and different Chromium internet browsers was exploited as a zero-day by North Korean actors in a marketing campaign designed to ship the FudModule rootkit.
The event is indicative of the persistent efforts made by the nation-state adversary, which had made a behavior of incorporating rafts of Home windows zero-day exploits into its arsenal in current months.
Microsoft, which detected the exercise on August 19, 2024, attributed it to a risk actor it tracks as Citrine Sleet (previously DEV-0139 and DEV-1222), which is also called AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It is assessed to be a sub-cluster throughout the Lazarus Group (aka Diamond Sleet and Hidden Cobra).
It is price mentioning that using the AppleJeus malware has been beforehand additionally attributed by Kaspersky to a different Lazarus subgroup known as BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these risk actors.
“Citrine Sleet relies in North Korea and primarily targets monetary establishments, significantly organizations and people managing cryptocurrency, for monetary achieve,” the Microsoft Risk Intelligence crew said.
“As a part of its social engineering techniques, Citrine Sleet has performed in depth reconnaissance of the cryptocurrency trade and people related to it.”
The assault chains typically involve organising pretend web sites masquerading as reputable cryptocurrency buying and selling platforms that search to trick customers into putting in weaponized cryptocurrency wallets or buying and selling functions that facilitate the theft of digital belongings.
The noticed zero-day exploit assault by Citrine Sleet concerned the exploitation of CVE-2024-7971, a high-severity kind confusion vulnerability within the V8 JavaScript and WebAssembly engine that would permit risk actors to realize distant code execution (RCE) within the sandboxed Chromium renderer course of. It was patched by Google as a part of updates launched final week.
As beforehand acknowledged by The Hacker Information, CVE-2024-7971 is the third actively exploited kind confusion bug in V8 that Google resolved this 12 months after CVE-2024-4947 and CVE-2024-5274.
It is at the moment not clear how widespread these assaults had been or who was focused, however the victims are mentioned to have been directed to a malicious web site named voyagorclub[.]area possible via social engineering methods, thereby triggering an exploit for CVE-2024-7971.
The RCE exploit, for its half, paves the best way for the retrieval of shellcode containing a Home windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to determine admin-to-kernel entry to Home windows-based techniques to permit learn/write primitive capabilities and carry out [direct kernel object manipulation].”
CVE-2024-38106, a Home windows kernel privilege escalation bug, is likely one of the six actively exploited safety flaws that Microsoft remediated as a part of its August 2024 Patch Tuesday replace. That mentioned, the Citrine Sleet-linked exploitation of the flaw has been discovered to have occurred after the repair was launched.
“This may occasionally recommend a ‘bug collision,’ the place the identical vulnerability is independently found by separate risk actors, or information of the vulnerability was shared by one vulnerability researcher to a number of actors,” Microsoft mentioned.
CVE-2024-7971 can also be the third vulnerability that North Korean risk actors have leveraged this 12 months to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, each of that are privilege escalation flaws within the built-in Home windows drivers and had been mounted by Microsoft in February and August.
“The CVE-2024-7971 exploit chain depends on a number of parts to compromise a goal, and this assault chain fails if any of those parts are blocked, together with CVE-2024-38106,” the corporate mentioned.
“Zero-day exploits necessitate not solely preserving techniques updated, but additionally safety options that present unified visibility throughout the cyberattack chain to detect and block post-compromise attacker instruments and malicious exercise following exploitation.”