According to a recent Microsoft report, North Korean hackers exploited a zero-day vulnerability in the open-source Google Chromium web browser to attack cryptocurrency institutions. The report details the financially motivated campaign, identifying threat actors and trends.
According to the report, the hackers exploited a now-patched flaw in V8 – Google's open-source, high-performance JavaScript and WebAssembly engine, penned in C++. The flaw (tracked as CVE-2024-7971) exists in various Chromium versions prior to the most recent version. Before the August 21 Chromium version 128.0.6613.84, hackers could exploit this flaw to execute code on a targeted system.
Microsoft's Security Response Center notified Google about the flaw on August 19. Assessing the flaw, Google rated the vulnerability level as "high," since hackers could exploit it by remotely executing arbitrary codes.
Microsoft Identifies North Korean Actors in Series of Cryptocurrency Scams
Citrine Sleet is the codename Microsoft gave to a group of threat actors identified in the discovered hack. This group, Microsoft says, bears links with North Korea's cyber operations agency, Bureau 121, a subsidiary of the military's Reconnaissance General Bureau. Other names for the said group include Hidden Cobra, UNC4736, Labyrinth Chollima, and AppleJeus.
Hidden Cobra reportedly used fake websites and job applications to lure targets into installing a malicious trading platform or cryptocurrency wallet. Victims would get redirected to an attacker-controlled domain to install a lethal rootkit called FudModule.
FudModule works to exploit further vulnerabilities within the Windows kernel toward escaping a Windows sandbox. Once it successfully exits the sandbox, Microsoft claims, "the rootkit employs direct kernel object manipulation techniques to disrupt kernel security mechanisms."
Afterward, FudModule would execute exclusively from user mode and execute kernel tampering through a kernel read/write primitive. Microsoft has reportedly released a software update on August 13 to jinx the flaw.
Umpteenth Attempt to Exploit Chromium’s Zero-Day Vulnerability
Remarkably, this isn't the only time that Microsoft has identified FudModule in a sophisticated hacking attempt. Microsoft has reportedly pinned the rootkit against multiple North Korean hacking campaign groups since at least October 2021.
Gen Digital's Avast antivirus software unit identified a similar campaign from the group in the summer of 2023 that targeted individuals in the Asian region using malicious job applications. All reports identify these multi-stage attacks as attempts to exploit various zero-day vulnerabilities in Windows and drop a novel remote access to malicious FudModule-laden software onto the victim's systems.
Microsoft also warned that a cluster of North Korean attackers codenamed Diamond Sleet exploited a new zero-day vulnerability in the Windows Ancillary Function Driver towards the same end last month. Citrine Sleet may have a different "address" from Citrine Sleet, but Microsoft reports that both parties may have shared FudModule in the identified infrastructure transfer.
The software giant says it has directly informed targeted or compromised customers of the crypto hacking campaign. It added that it offered crucial security information for securing their environments.
Wrapping Up
Microsoft says that hackers linked to North Korea to exploit a flaw in Chromium's open-source browser in a financially-motivated cybercrime. The operations targeted cryptocurrency wallets while luring targets into installing malicious cryptocurrency wallets and trading platforms.