Suspected North Korean hackers targeted crypto industry with Chromium zero-day

Hackers allegedly connected to the North Korean government targeted the cryptocurrency industry using a zero-day affecting the Chromium browser.

Microsoft revealed the campaign in a blog post on Friday, pointing the blame at a threat actor they call “Citrine Sleet.”

The group has previously been attributed to a unit of North Korea’s Reconnaissance General Bureau.

The tech giant noted that some of the tools involved in the campaign were used by other North Korean groups including one they call Diamond Sleet.

The vulnerability being exploited, CVE-2024-7971, was patched by Google last week. Google acknowledged that Microsoft notified them of the vulnerability on August 19.

The top cybersecurity agency in the U.S. added CVE-2024-7971 to a catalog of vulnerabilities known to have been exploited. Federal civilian agencies have until September 16 to patch the bug on government systems.

According to Microsoft, Citrine Sleet focuses its attacks on financial institutions and cryptocurrency firms, creating networks of fake websites that are used to send fictitious job applications.

Some incidents involved the hackers attempting to have victims download malicious crypto wallets or trading applications made to look like legitimate platforms. 

“Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets,” they said.

The hackers used a fake domain they controlled at voyagorclub[.]space — a potential reference to a now defunct crypto platform. From there, CVE-2024-7971 is exploited.

A strain of malware called “FudModule” is then deployed. Microsoft noted that the malware has been in use since 2021 by other North Korean groups.

At least one of the victims in this campaign was previously targeted by another North Korean group and Microsoft tied the attacks to a larger effort by Pyongyang to exploit vulnerabilities at “cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

North Korea’s government has made hacking cryptocurrency platforms a key pillar of its revenue strategy, netting $3 billion from attacks between 2017 and 2023, according to United Nations investigators.