North Korea's 'Citrine Sleet' APT Exploits Zero-Day Chromium Bug

A well-known threat actor belonging to North Korean intelligence burned two novel vulnerabilities last month in an attempt to steal from the cryptocurrency industry to fund the Kim Jong Un regime.

Most financial cybercrime is carried out by middling and low-level cybercriminals looking for a quick buck. Not so with North Korea, whose sophisticated, multimillion- and billion-dollar cyber gambits against private industry in the West have helped fuel its nuclear weapons programs and other initiatives, according to US authorities and multiple cyber-researchers.

In an Aug. 30 blog post, Microsoft revealed that an entity within Bureau 121 of North Korea's Reconnaissance General Bureau — an APT it tracks as Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra) pulled off a caper that is among its most advanced yet. The group, known to be a subset of the infamous Lazarus Group, chained together previously unknown issues in Windows and Chromium browsers, then throwing a rootkit in the mix in order to achieve deep system access before stealing from targets.

Step 1: Actively Exploited Chromium Zero-Day

On Aug. 21, Google released an update to Chrome that included 38 security fixes. The highlight of the bunch, though, was CVE-2024-7971.

CVE-2024-7971 is a type confusion issue in the V8 engine that runs JavaScript in Chrome and other Chromium-based browsers. Using a specially crafted HTML page, an attacker could corrupt the browser's memory heap and take advantage in order to gain remote code execution (RCE) capabilities. The issue earned a "high" severity 8.8 out of 10 CVSS rating.

It wasn't just that the bug was severe — it also was actively being exploited.

Microsoft — whose Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) originally reported the issue to Google — has now colored in between the lines, noting that Citrine Sleet used CVE-2024-7971 in a campaign targeting crypto companies for financial gain.

Microsoft declined to provide Dark Reading with further information regarding the victims of the campaign, or consequences to those victims.

Step 2: Windows Kernel Bug

Known for targeting financial institutions, a typical Citrine Sleet attack begins with a fake website masked, for example, as a cryptocurrency trading platform. It can use that site as a launchpad for fake job openings, or to trick victims into downloading a fake crypto wallet or trading app laced with its custom Trojan, AppleJeus.

In this latest campaign, victims were lured through unknown social engineering tactics to the domain voyagorclub[.]space. Those who connected to the domain automatically triggered the zero-day memory corruption exploit in Chromium.

Hardly content with a single high-severity bug, Citrine Sleet chained its Chromium RCE exploit to a second high-severity bug, CVE-2024-38106. CVE-2024-38106 is a privilege escalation in the Windows kernel that allows an attacker to obtain valuable system-level privileges. (Its modest 7.0 CVSS score can be attributed to its complexity, and its requirement for existing local access to a targeted machine.)

Microsoft patched CVE-2024-38106 on Aug. 13, less than a week before its discovery of this latest Citrine Sleet activity. Notably, it also seems to have been recently exploited by an entirely different threat actor.

Step 3: Profit?

"The attack chain goes from directly compromising a sandboxed Chrome renderer process to compromising the Windows kernel rather than targeting the Chrome browser process," explains Lionel Litty, chief security architect at Menlo Security. "This means there are very limited opportunities to detect something amiss using tools that are observing the Chrome application behavior."

He adds, "Once in the kernel, the attacker is on a level playing field with security tooling on the endpoint, or may even have the upper hand, and detecting them becomes very challenging."

As part of its privilege escalation, Citrine Sleet deploys FudModule, a rootkit it shares with its fellow APT Diamond Sleet. FudModule uses direct kernel object manipulation (DKOM) techniques to best kernel security checks, and has been improved on in at least two notable instances since its first discovery three years ago. Earlier this year, for example, Avast researchers noted its new ability to disrupt protected process light (PPL) processes in Microsoft Defender, Crowdstrike Falcon, and HitmanPro.

Having reached the innermost corners of a targeted system, Citrine Sleet typically deploys its AppleJeus Trojan. AppleJeus is designed to grab the information needed to steal a victim's cryptocurrencies and cryptocurrency-related assets.

Still, "Remote code execution in Chrome costs upward of 100,000 bucks — $150,000, to be precise — in some black markets," notes Michal Salát, threat intelligence director with Avast. "The amount of money that Lazarus is burning on these exploits is pretty big. The question here that we are asking ourselves is: How sustainable is this for them?"