North Korean APT Group Exploits Chrome Zero-Day to Deploy FudModule Rootkit Malware

Credited by Pixabay

VTA-004493 – North Korean APT Group Exploits Chrome Zero-Day to Deploy FudModule Rootkit Malware

In a recent cyberattack, North Korean state-sponsored hackers successfully exploited a critical security vulnerability in Google Chrome and other Chromium-based web browsers. This zero-day attack, which was patched by Google in a recent update, allowed the attackers to deliver the FudModule rootkit, a highly sophisticated piece of malware designed to grant attackers extensive control over compromised systems.

The attack, attributed to the Citrine Sleet hacking group, specifically targeted financial institutions, particularly those involved in cryptocurrency. By tricking victims into visiting malicious websites disguised as legitimate cryptocurrency trading platforms, the attackers were able to exploit the vulnerability and execute malicious code. Once installed, the rootkit allowed the hackers to gain administrative privileges on the victim’s system, enabling them to steal sensitive data, including cryptocurrency assets.

This attack demonstrates the ongoing threat posed by North Korean cybercriminals, who have become increasingly sophisticated in their tactics. The use of a zero-day exploit, a vulnerability that is unknown to the software vendor until it is exploited, highlights the attackers’ advanced capabilities and their ability to stay ahead of security defenses.

The successful deployment of the FudModule rootkit poses a significant risk to compromised systems. The rootkit’s capabilities include stealthy persistence, data exfiltration, and remote code execution. These malicious functions allow the attackers to maintain a long-term presence on the compromised system, steal sensitive information, and execute additional attacks.

The incident serves as a stark reminder of the importance of maintaining up-to-date software and practicing good cyber hygiene. Regularly updating your software, avoiding suspicious websites, and being cautious of unsolicited.

Severity:
Medium

Attack Surface:
Endpoint, Web Application, Web Browser

Tactics:
Defense Evasion, Exfiltration, Initial Access, Persistence, Privilege Escalation

Techniques:
T1036 – Masquerading
T1068 – Exploitation for Privilege Escalation
T1176 – Browser Extensions
T1553 – Subvert Trust Controls
T1195 – Supply Chain Compromise
T1496 – Resource Hijacking
T1014 – Rootkit
 
Indicator of Compromise:
https://otx.alienvault.com/pulse/66d4dfdbf8ead45d069e1414

References:
1. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

SuperPRO’s Threat Countermeasures Procedures: 
1. Implement automated patch management systems to streamline the process.
2. Ensure timely application of software and operating system patches to address known vulnerabilities.
3. Encrypt sensitive data both at rest and in transit to protect it from unauthorized access.
4. Implement strong access controls to limit user privileges and prevent unauthorized access to data.  
5. Maintain regular backups of critical data to enable recovery in case of a breach.

Contributed by: YewKS