North Korean Hackers Exploited Chromium Zero-Day to Deploy Rootkit

In a recent attack, a North Korean threat actor leveraged a zero-day vulnerability in Google’s Chromium browser to deploy the FudModule rootkit, targeting cryptocurrency firms for financial gain.

Microsoft uncovered a sophisticated cyber operation involving a North Korean threat actor exploiting a zero-day vulnerability in Chromium, tracked as CVE-2024-7971. The attack, attributed to the notorious group known as Citrine Sleet, specifically targeted the cryptocurrency sector.

Type Confusion Vulnerability Targeted

Citrine Sleet, a threat actor with a history of targeting financial institutions, executed the attack using a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Google released a patch for the vulnerability on August 21, but not before significant damage was done.

The attack began with social engineering tactics—Citrine Sleet lured victims to a malicious domain, voyagorclub[.]space, where the zero-day RCE exploit for CVE-2024-7971 was deployed. This exploit allowed the attackers to execute code within the sandboxed Chromium renderer process, setting the stage for a more devastating follow-up.

Once inside the target system, Citrine Sleet deployed the FudModule rootkit, an intriguing piece of malware designed to disrupt kernel security mechanisms through Direct Kernel Object Manipulation (DKOM). The rootkit’s purpose is to provide persistent backdoor access to compromised systems, allowing attackers to steal sensitive data or deploy additional malware.

The FudModule rootkit has been previously associated with another North Korean threat group, Diamond Sleet, indicating possible collaboration or shared resources between these state-sponsored actors.

The attack didn’t stop there. Citrine Sleet exploited another vulnerability, CVE-2024-38106, in the Windows kernel, allowing the rootkit to escape the browser’s sandbox and gain deeper control over the system. Microsoft had patched this kernel vulnerability just days before the attack was discovered, but the timing suggests that the threat actors were well-prepared to exploit it.

FudModule Rootkit Overview

The FudModule rootkit is a sophisticated malware tool used primarily by the other notorious North Korean hackers, the Lazarus Group. The rootkit represents one of the most advanced tools in their arsenal and has seen continuous development aimed at improving its stealth and functionality.

Key Features and Evolution

• Kernel-Level Access: The rootkit exploits a zero-day vulnerability (CVE-2024-21338) in the appid.sys AppLocker driver. This allows the Lazarus Group to achieve kernel-level access, enabling them to perform direct kernel object manipulation.
• Advanced Techniques: The latest version of the FudModule rootkit employs several advanced techniques, including:
  • Handle Table Entry Manipulation: Used to suspend processes protected by Protected Process Light (PPL), targeting security tools like Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
  • Direct Kernel Object Manipulation (DKOM): To disable security products, hide malicious activities, and maintain persistence.
  • Registry and Object Callback Removal: Disables security monitoring by removing registry and object callbacks, thus evading detection by security solutions.
• Stealth Enhancements:
  • The rootkit avoids using traditional methods that might raise suspicion, such as using the NtWriteVirtualMemory syscall for both reading and writing kernel memory. This reduces the number of suspicious syscalls and detection opportunities.
• Historical Context and Previous Versions:
  • Initially, the rootkit leveraged a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit known vulnerabilities in drivers like dbutil_2_3.sys and later ene.sys. The shift to exploiting a zero-day vulnerability marks a significant evolution in their tactics.
  • Earlier versions of the rootkit were capable of disabling security monitoring of all security solutions on infected hosts. The latest updates have focused on improved stealth and expanded capabilities.
• Cross-Platform Focus:
  • The group has also been observed using bogus calendar meeting invite links to install malware on Apple macOS systems, indicating a cross-platform focus.

Recommendations and Mitigations

Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is a well-established North Korean threat actor with a history of targeting financial institutions. The group’s primary goal is to steal cryptocurrency assets, and they often employ sophisticated social engineering techniques to achieve their objectives.

The North Korean regime has long relied on cybercrime to fund its activities, including its sanctioned nuclear program. The details of the latest operation only reflect the rising threat posed by state-sponsored hacking groups.

Microsoft recommends immediate updates to all systems, particularly to the latest versions of Chromium-based browsers, to mitigate the risk posed by CVE-2024-7971.

In addition to patching, organizations should deploy security solutions that offer unified visibility across the cyberattack chain, allowing for the detection and blocking of post-compromise activity. Microsoft also advises strengthening the overall security posture by ensuring that operating systems and applications are consistently up-to-date.