HQ/EMEAFind out how we can help your business
The North Korean advanced persistent threat group (APT) Citrine Sleet is the alleged operator of a new campaign that exploits the recently patched Google Chrome zero-day vulnerability to launch the FudModule rootkit.
Researchers explained that the attackers used CVE-2024-7971, which has a critical severity score of 8.8 out of 10, to distribute a malicious rootkit. Moreover, Microsoft attributes the new campaign with medium confidence to Citrine Sleet, a notorious North Korean threat group that commonly targets the cryptocurrency sector for financial gain.
However, the FudModule malware is also related to another DPRK cyber espionage gang, Diamond Sleet. Microsoft previously found shared infrastructure and tools between these two APT groups, indicating that they both employ the FudModule virus.
This then-unpatched zero-day impacts Chromium versions before 128.0.6613.84. If a malicious entity abuses the flaw, it can acquire remote code execution (RCE) within the sandboxed Chromium renderer process.
The Citrine Sleet APT uses a typical browser exploit process for deploying the FudModule rootkit.
According to investigations, the Citrine Sleet zero-day campaign follows a standard browser exploit process. The group initially redirects its targets to an attacker-controlled exploit domain called voyagorclub[.]space.
Researchers cannot confirm how this campaign redirects its targets to a malicious domain, but they suspect that the attackers use social engineering tactics. Once a user lands on the attacker-controlled domain, the zero-day RCE exploit for CVE-2024-7971 will initiate.
After the RCE exploit successfully executes the code in the sandboxed Chromium renderer process, the shellcode containing a Windows sandbox escape exploit, and the FudModule rootkit will be downloaded on the infected device and put into memory.
Once it escapes the sandbox, the FudModule rootkit runs in memory. This rootkit disrupts kernel security systems through direct kernel object manipulation (DKOM) techniques. The malware then acts in user mode, tampering with the kernel via a kernel read-write primitive.
These newly discovered threats prompted Microsoft to urge enterprises to keep their systems up to date and employ security solutions that provide unified visibility across the cybercriminal process. This security tactic would also allow users to detect and stop post-compromise attacker tools and malicious activity in case of successful exploitation.
