Threat Research

Citrine Sleet: North Korean Threat Actor Exploiting Chromium Zero-Day Vulnerability | Microsoft Security Blog

Securonix

Microsoft linked the North Korean threat actor Citrine Sleet to exploiting a Chromium zero-day (CVE-2024-7971) to gain remote code execution against cryptocurrency targets. The post details the TTPs, the FudModule rootkit, mitigation steps, and IOCs such as voyagorclub.space and weinsteinfrog.com. #CitrineSleet #CVE-2024-7971 #FudModule #AppleJeus #DiamondSleet

Keypoints

  • North Korean threat actor Citrine Sleet exploited CVE-2024-7971 for financial gain in the cryptocurrency sector.
  • The vulnerability is a type confusion issue in the V8 JavaScript engine affecting Chromium versions prior to 128.0.6613.84.
  • Citrine Sleet uses social engineering to lure targets to malicious domains.
  • The FudModule rootkit is used for kernel access and evasion of detection.
  • Microsoft advises updating systems and browsers to mitigate risk.
  • IOCs include the domains voyagorclub[.]space and weinsteinfrog[.]com.

MITRE Techniques

  • [T1071] Initial Access – Exploiting vulnerabilities in web browsers to gain access. “Exploiting vulnerabilities in web browsers to gain access.”
  • [T1203] Execution – Exploitation for Client Execution: Using zero-day vulnerabilities to execute code. “Exploitation for Client Execution: Using zero-day vulnerabilities to execute code.”
  • [T1050] Persistence – New Service: Installing the FudModule rootkit for persistence. “New Service: Installing the FudModule rootkit for persistence.”
  • [T1068] Privilege Escalation – Exploitation of Vulnerability: Exploiting CVE-2024-38106 for privilege escalation. “Exploitation of Vulnerability: Exploiting CVE-2024-38106 for privilege escalation.”
  • [T1562.001] Defense Evasion – Impair Defenses: Using the FudModule to evade detection. “Impair Defenses: Using the FudModule to evade detection.”
  • [T1536] Credential Access – Credential Dumping: Using AppleJeus trojan to collect cryptocurrency credentials. “Credential Dumping: Using AppleJeus trojan to collect cryptocurrency credentials.”
  • [T1071] Command and Control – Application Layer Protocol: Establishing communication with C2 servers. “Application Layer Protocol: Establishing communication with C2 servers.”

Indicators of Compromise

  • [Domain] – voyagorclub.space, weinsteinfrog.com

Read more: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint