August 30, 2024 at 01:06PM
North Korean hackers utilized a patched Google Chrome zero-day to distribute the FudModule rootkit, gaining SYSTEM privileges through a Windows Kernel exploit. Microsoft attributed the attacks to the North Korean threat actor Citrine Sleet, known for targeting the cryptocurrency sector for financial gain. The group is also associated with other malicious activities and hacking groups.
From the meeting notes, the following key points can be summarized:
– North Korean hackers exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit and gain SYSTEM privileges using a Windows Kernel exploit.
– Microsoft attributes the exploitation to a North Korean threat actor targeting the cryptocurrency sector for financial gain, specifically Citrine Sleet (previously tracked as DEV-0139). Other names for this threat group include AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra.
– Citrine Sleet targets financial institutions, focusing on cryptocurrency organizations and associated individuals, and has been linked to Bureau 121 of North Korea’s Reconnaissance General Bureau.
– North Korean hackers use malicious websites camouflaged as legitimate cryptocurrency trading platforms to infect potential victims with fake job applications or weaponized cryptocurrency wallets or trading apps.
– UNC4736 trojanized the Electron-based desktop client of video conferencing software maker 3CX and was involved in a supply-chain attack on the website of Trading Technologies.
– Google patched the CVE-2024-7971 zero-day vulnerability, but the threat actors used it to gain remote code execution and a Windows sandbox escape exploit targeting the CVE-2024-38106 flaw in the Windows Kernel.
– The FudModule rootkit was used for kernel tampering and direct kernel object manipulation.
Additionally, it’s worth noting that other North Korean threat groups like Diamond Sleet and BlueNoroff (or Sapphire Sleet) have been involved in similar cyber attacks and exploit activities.