Analysis Summary

In a recent campaign, North Korean threat actors tracked as Citrine Sleet (formerly known as DEV-0139 and DEV-1222) exploited a zero-day vulnerability in Google Chrome and other Chromium-based browsers.

This flaw, identified as CVE-2024-7971, is a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine. The exploitation of this flaw enabled the attackers to achieve remote code execution (RCE) within the browser's sandboxed environment. This campaign was designed to deploy the FudModule rootkit a sophisticated malware that grants attackers admin-to-kernel level access on Windows systems, allowing them to manipulate kernel objects and execute privileged operations.

According to the report, the attack is attributed to a sub-cluster of the Lazarus Group reflecting the continued efforts of North Korean cyber adversaries to leverage zero-day vulnerabilities to target high-value sectors particularly financial institutions and cryptocurrency entities. Citrine Sleet has been known to employ social engineering tactics such as creating fake websites that mimic legitimate cryptocurrency trading platforms. These sites are used to deceive users into downloading compromised cryptocurrency wallets or trading applications, facilitating the theft of digital assets. The malicious website was utilized to deliver the exploit, directing victims to trigger the CVE-2024-7971 vulnerability.

Moreover, the exploitation chain extended beyond CVE-2024-7971. The attackers also leveraged CVE-2024-38106, a Windows kernel privilege escalation flaw that was part of the vulnerabilities Microsoft patched in August 2024. Interestingly, the exploitation of CVE-2024-38106 by Citrine Sleet occurred post-patch, suggesting either independent discovery by multiple actors (a scenario termed "bug collision") or the sharing of vulnerability information among threat actors. This indicates sophisticated coordination and resource sharing within the North Korean cyber espionage ecosystem as evidenced by the overlap in the use of the AppleJeus malware between Citrine Sleet and another Lazarus subgroup, BlueNoroff.

This campaign underscores the need for organizations to maintain robust cybersecurity postures including timely patching of systems and deployment of security solutions that provide comprehensive visibility and detection capabilities. The persistence and adaptability of North Korean threat actors, particularly their ability to exploit zero-day vulnerabilities and employ multi-layered attack chains, highlights the importance of proactive defense measures to mitigate risks associated with advanced persistent threats (APTs).

Impact

• Code Execution
• Privilege Escalation
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• voyagorclub.space
• weinsteinfrog.com

Remediation

• Upgrade to the latest version of Google Chrome, available from the Google Chrome Releases Website.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all systems are up-to-date with the latest security patches from software vendors, especially for Google Chrome, Chromium-based browsers, and Windows operating systems.
• Deploy advanced endpoint protection platforms that offer unified visibility across the attack chain and can detect and block post-compromise attacker tools and malicious activity.
• Segregate critical assets and sensitive data from less secure areas of the network to minimize the impact of a breach.
• Regularly monitor networks and systems for signs of compromise, such as unusual activity that may indicate the presence of malware or exploitation attempts.
• Limit the use of administrative accounts and apply the principle of least privilege to reduce the potential impact of a compromised account.
• Enable security features in browsers, such as site isolation and safe browsing modes, to mitigate the risk of exploitation.
• Restrict which applications can run on systems to prevent unauthorized software, including potential malware, from executing.
• Perform frequent vulnerability assessments and penetration testing to identify and address security weaknesses before they can be exploited.
• Implement web filtering solutions to block access to malicious websites and use content inspection to detect and prevent malicious downloads.
• Maintain regular backups of important data and ensure that backups are stored securely and are not directly accessible from the main network.