APT Group Citrine Sleet Deploys FudModule Rootkit via Chrome Vulnerability
Threat Group: Citrine Sleet (North Korea-linked APT group)
Threat Type: Advanced Persistent Threat (APT)
Exploited Vulnerability: Google Chrome Zero-Day (CVE-2024-7971)
Malware Used: FudModule Rootkit
Overview
A North Korea-linked APT group, known as Citrine Sleet, has been identified exploiting a newly discovered zero-day vulnerability in Google Chrome (CVE-2024-7971). This vulnerability, a type confusion flaw in Chrome’s V8 JavaScript engine, allowed the group to deploy the FudModule rootkit, a sophisticated malware capable of gaining and maintaining kernel-level access on compromised systems. The campaign primarily targeted organizations within the cryptocurrency sector, aiming to steal digital assets and disrupt financial operations.
Technical Details
Vulnerability Exploited:
- CVE-2024-7971: A type confusion vulnerability in the V8 JavaScript engine used by Google Chrome and other Chromium-based browsers. This flaw allows attackers to achieve remote code execution (RCE) within the sandboxed environment of the Chromium renderer process.
Attack Vector:
- Citrine Sleet lured victims to a malicious domain,
voyagorclub[.]space
, through social engineering tactics. Upon visiting the site, the zero-day exploit was triggered, allowing the attackers to execute code and escape the browser sandbox.
Additional Exploits:
- CVE-2024-38106: A Windows Kernel privilege escalation vulnerability used to gain SYSTEM privileges, allowing the rootkit to perform Direct Kernel Object Manipulation (DKOM).
Malware Deployed:
- FudModule Rootkit: Once the vulnerabilities were exploited, the FudModule rootkit was deployed to establish persistence and provide backdoor access. This rootkit is known for its ability to evade detection by disabling security products and manipulating kernel objects.
Infrastructure and Attribution:
- The infrastructure and tools used in this attack bear similarities to those used by other North Korean groups, specifically Diamond Sleet, indicating possible collaboration or shared resources. Citrine Sleet has been associated with multiple aliases, including AppleJeus, Labyrinth Chollima, and UNC4736, and is believed to operate under North Korea’s Bureau 121.
Indicators of Compromise (IoCs)
In this case, traditional Indicators of Compromise, like file hashes or specific IP addresses, won't help much. This is because the bad guys used a super sneaky tool called the FudModule rootkit. This rootkit is like a super ninja—it hides really well and changes itself so that it's almost impossible to spot with regular tools.
Instead of looking for easy clues like fingerprints (file hashes), we need to watch for strange behavior. Imagine if someone was moving your toys around at night. You wouldn't see the person, but you'd notice your toys aren't where you left them. Similarly, we should watch for unusual things happening on our computers, like weird changes to settings or programs acting strangely.
So, in short:
- No clear IoCs like file hashes because the rootkit hides too well.
- Focus on strange behavior to catch the bad guys, just like noticing when something feels off in your room.
Mitigation and Recommendations
- Update Systems: Ensure all systems are patched with the latest security updates, particularly for Google Chrome and Windows. Google patched CVE-2024-7971 on August 21, 2024, and Microsoft released a fix for CVE-2024-38106 in its August Patch Tuesday update.
- Deploy Security Solutions: Use advanced security solutions that can detect and block rootkits and zero-day exploits. Security products should provide unified visibility across the attack chain.
- Network Segmentation: Implement network segmentation to limit the lateral movement of attackers and reduce the potential impact of a breach.
- Employee Training: Conduct regular training sessions to educate employees about phishing and other social engineering tactics used by threat actors.
- Monitor Network Activity: Continuously monitor network traffic for unusual patterns that may indicate a compromise. Deploy intrusion detection systems (IDS) to identify and respond to suspicious activities.