CVE-2024-7971: North Korean APT Citrine Sleet Exploits Chromium Zero-Day

by do son · August 30, 2024

In a recent cybersecurity report, Microsoft Threat Intelligence has revealed that a North Korean threat actor, believed to be Citrine Sleet, has been actively exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium browsers to target the cryptocurrency sector.

The vulnerability, a type confusion issue in the V8 JavaScript engine, allowed the attackers to gain remote code execution (RCE) on unpatched systems. Google swiftly addressed the vulnerability with a patch on August 21st, 2024.

Microsoft detected suspicious activity linked to Citrine Sleet, revealing that the group had been exploiting a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which powers Chromium-based browsers. The flaw, affecting versions prior to 128.0.6613.84, allows threat actors to gain RCE in the sandboxed Chromium renderer process. Once inside, the attackers execute malicious code, compromising the target’s system.

Citrine Sleet is a notorious cyber threat actor group, believed to operate under North Korea’s Reconnaissance General Bureau, Bureau 121. The group is infamous for targeting financial institutions, particularly those involved in cryptocurrency, to fund the North Korean regime. Their operations are marked by meticulous reconnaissance, creating fake websites mimicking legitimate cryptocurrency platforms to lure victims into downloading weaponized software.

Citrine Sleet’s tactics include deploying the AppleJeus trojan, which collects critical information to seize control of cryptocurrency assets. In this latest campaign, they have also utilized the FudModule rootkit—a highly sophisticated piece of malware capable of evading detection and manipulating the Windows kernel, enabling deeper infiltration into targeted systems.

The attack chain uncovered by Microsoft follows a familiar yet effective pattern. Targets are directed to a malicious domain, voyagorclub[.]space, under Citrine Sleet’s control. Once connected, the CVE-2024-7971 exploit is delivered, enabling RCE within the Chromium renderer process. The exploit then triggers a secondary attack, downloading and executing the FudModule rootkit, while exploiting another zero-day vulnerability, CVE-2024-38106, to escape Chromium’s sandbox and compromise the underlying Windows system.

The FudModule rootkit, first attributed to another North Korean group, Diamond Sleet, has now been linked to Citrine Sleet, suggesting possible collaboration or shared tooling between these groups. This rootkit employs direct kernel object manipulation (DKOM) techniques, which disrupt kernel security mechanisms and grant the attackers extensive control over the infected system.

Microsoft recommends that all users update their Chromium-based browsers to the latest version to protect against this vulnerability. Security teams are urged to implement the latest patches and follow Microsoft’s detailed guidance on detecting and mitigating these advanced threats.