Google Chrome recently received a patch for a vulnerability targeting cryptocurrency platforms. The security hole was classified as zero-day, meaning it existed for a while without the company’s knowledge. Now, it is known that North Korean hackers took advantage of Chrome’s zero-day to inject malware and a rootkit.
The vulnerability affected both Chrome and Chromium-based third-party browsers, like Edge. So Microsoft offered more specific details in a blog post. CVE-2024-7971, the tracked vulnerability, aims to remotely execute code and install the FudModule rootkit on the victim’s device. The attackers also took advantage of CVE-2024-38106, a vulnerability in the Windows kernel, to gain SYSTEM privileges. Microsoft patched that vulnerability recently, too.
North Korean hackers exploited Chrome’s zero-day vulnerability before it was spotted
A zero-day is a vulnerability that the software developer is not aware of. Therefore, malicious third parties could exploit it since there is no official patch yet. The name “zero-day” comes from the fact that the developer has zero days to fix it once spotted, since it may already be exploited. In the case of Chromium, the affected component was V8, the browser’s JavaScript code execution engine.
Chromium’s V8 engine was vulnerable to type confusion-based attacks. According to MITRE, this type of attack “allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.” Confusion-based attacks can “trigger logical errors because the resource does not have expected properties,” resulting in out-of-bounds memory access. After that, attackers could achieve remote code execution in the browser, which they took advantage of to redirect the user to the malicious website voyagorclub[.]space.
At this point, the attackers are looking to install an exploit targeting the CVE-2024-38106 Windows vulnerability mentioned above. If the attack was successful, the attackers would have managed to obtain SYSTEM privileges, which is bad news. The hackers even had advanced methods to bypass kernel-level security protections. They injected the FudModule rootkit, which allows them to write to the kernel and manipulate it at will. FudModule-based attacks are known as direct kernel object manipulation (DKOM) operations.
Microsoft blames South Korean group Citrine Sleet
According to Microsoft, the North Korea-based hacker group Citrine Sleet was exploiting the Chrome and Windows vulnerability combo. The Redmond giant says that the group “primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain.” Similar groups often use attack methods such as platform cloning or trojanizing pop-uk software. They even infected X_TRADER, a popular stock trading automation software, after “hijacking” its official website.
It’s notable that other cybersecurity vendors track these attacks under names like AppleJeus, Labyrinth Chollima, and UNC4736. This suggests that while they are different groups, they all share technologies and methods. It should be impossible to use the hackers’ “trick” now. However, it would be interesting to know how many platforms fell victim to related attacks. Since the FudModule rootkit was first detected in 2022, it’s possible that hackers have been exploiting the method for at least two years.
2024-09-02 15:05:59