North Korean Citrine Sleet behind CVE-2024-7971 exploitation

PravinKarthik

1 year ago

Advertisements

Microsoft’s threat intelligence team discovered that a known North Korean threat actor exploiting a Chrome remote code execution flaw patched by Google earlier this month.

The vulnerability, tracked as CVE-2024-7971, was patched by Google last month, and it’s actively exploited.

Microsoft attributed the attacks to an actor called ‘Citrine Sleet’ that has been caught in the past that targeting financial institutions, particularly organizations and individuals managing cryptocurrency.

Advertisements

Citrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

This zero-day exploit attack follows typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. The modus of operandi is not known. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served. After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded and loaded into memory.

The rootkit uses direct kernel object manipulation (DKOM) techniques to interfere with kernel security mechanisms. The rootkit operates entirely from user mode and tampers with the kernel through a kernel read/write primitive. No further malware activity was observed on the targeted devices.

Share this: