Chromium is the foundation for many popular web browsers including Google Chrome and Microsoft Edge, and this is the most lucrative thing that attracts the hackers most.
Cybersecurity analysts at Microsoft recently discovered that North Korean hackers have been actively exploring the Chromium RCE zero-day in the wild.
On August 19, 2024, Microsoft named a threat actor from North Korea who had been utilizing a zero-day exploit described as CVE-2024-7971 targeting the V8 javascript engine incorporated into the Chromium Web browser for performing RCE within the sandboxed Chromium renderer process.
Through the ongoing activity, researchers connected this threat to the North Korean threat actor group cited as “Citrine Sleet.”
The FudModule rootkit deployed as part of this campaign has also been attributed to the North Korean threat group Diamond Sleet.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
However, Microsoft has already reported that the tool and infrastructure overlap between the two groups, indicating that FudModule malware may be used with Diamond Sleet.
Chromium RCE Zero-Day In The Wild
CVE-2024-7971 is a confusion vulnerability related to the V8 engine, affecting all Chromium versions earlier than 128.0.6613.84.
Google, as of August 21, 2024, had put up the patch for CVE-2024-7971, as such, all users are encouraged to ensure that they install the latest build of Chromium.
CVE-2024-7971 is the third exploited V8-type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274.
Citrine Sleet is a North Korean threat actor that focuses largely on disrupting financial networks, including organizations and individuals dealing with cryptocurrencies, in a bid to raise finances for the North Korean government, as tracked by Microsoft.
Citrine Sleet has performed extensive reconnaissance in the domain of cryptocurrency business and launches phishing attacks by designing fake cryptocurrency exchange platforms.
The prime reason for targeting the Japanese cryptocurrency business is the AppleJeus Trojan, which is used for capturing critical information for crypto-terrorists and hijacking any crypto assets associated with the targets.
Microsoft said that Citrine Sleet has undertaken zero-day attacks, such as the sandbox escape exploit CVE-2024-38106, which was utilized to escape the Windows kernel with the aim of executing malicious code and installing the FudModule rootkit.
This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms and perform kernel tampering through a kernel read-and-write primitive.
Various security companies track Citrine Sleet under different names, including AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.
FudModule is a rootkit type of sophisticated malware that attempts to obtain kernel access mechanisms stealthily.
As from October 2021, Diamond Sleet has utilized FudModule wherein admin to kernel access is made possible by making use of known vulnerable drivers.
The latest configuration of the FudModule, which takes advantage of the cybersecurity threat targeting the appid.sys. The attack chain deploying this variant involves the Kaolin RAT.
On August 13, 2024, Microsoft issued a security update to remediate an AFD.sys zero-day vulnerability that Diamond Sleet had exploited with the FudModule rootkit.
Recommendations
Here below we have mentioned all the recommendations:-
- Keep systems and browsers up to date (Chrome 128.0.6613.84+, Edge 128.0.2739.42+).
- Use SmartScreen-enabled browsers.
- Enable tamper, network protection, and EDR block mode.
- Automate Defender Endpoint responses.
- Activate cloud, real-time, and file scanning in Defender.
IoCs
- voyagorclub[.]space
- weinsteinfrog[.]com
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!