Pierluigi Paganini August 31, 2024

North Korea-linked APT exploited the recently patched Google Chrome zero-day CVE-2024-7971 to deploy the FudModule rootkit.

North Korea-linked group Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736, Hidden Cobra) have exploited the recently patched Google Chrome zero-day CVE-2024-7971(CVSS score 8.8) to deploy the FudModule rootkit, states Microsoft.

Microsoft researchers linked with medium confidence the attacks to Citrine Sleet, a North Korean threat actor targeting the cryptocurrency sector for financial gain. However, the FudModule rootkit is also associated with Diamond Sleet, another North Korea-linked cyberespionage group. Microsoft previously identified shared infrastructure and tools between these two groups, suggesting they might be jointly using the FudModule malware.

CVE-2024-7971 affects versions of Chromium before 128.0.6613.84. If exploited, it could enable threat actors to achieve remote code execution (RCE) within the sandboxed Chromium renderer process.

“The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served.” Microsoft said. “After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory.”

After successfully escaping the sandbox, the FudModule rootkit was executed in memory. This rootkit uses direct kernel object manipulation (DKOM) techniques to interfere with kernel security mechanisms. The rootkit operates entirely from user mode and tampers with the kernel through a kernel read/write primitive. No further malware activity was observed on the targeted devices.

The sandbox escape exploited the flaw CVE-2024-38106, an elevation of privilege vulnerability in the Windows kernel that Microsoft addressed on August 13, 2024.

“CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability.” continues the report. “This may suggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors.”

Microsoft recommends organizations to keep systems up to date and use security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation. Microsoft also recommends strengthening operating environment configuration.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Chrome zero-day)