Microsoft cybersecurity researchers identified a zero-day vulnerability in Chromium, the engine that powers the Chrome web browser and others, that had been exploited by the North Korean hacker group they call Citrine Sleet. The vulnerability was patched on Aug. 21, so it is important for users to update their browsers.
Microsoft identified Citrine Sleet with “medium confidence.” The group is known to target the cryptocurrency sector and is the developer of the AppleJeus trojan malware that has also been used by the Lazarus Group of hackers.
Third zero-day vulnerability of the year
Microsoft has notified targeted and compromised customers, but it did not say how many customers were affected. This was the third exploited vulnerability of this type that has been patched in Chromium this year. Google, the owner of the Chromium engine, patched the vulnerability two days after it was reported.
The hackers used FudModule rootkit malware to gain remote code execution. To do so, they used sophisticated social engineering tactics:
“The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.”
After that, the group commonly installed AppleJeus, which gathered the information needed to take control of the target’s crypto assets. Chrome versions prior to 128.0.6613.84 are vulnerable to attack.
Hackers trod a familiar path
Citrine Sleet was first spotted in December 2022, when Microsoft dubbed it DEV-0139. At that time, it created false identities on Telegram posing as employees of the OKX cryptocurrency exchange. Targets were asked to evaluate an Excel document that contained accurate information on various exchanges’ fee structures, as well as a malicious file that created a backdoor into the target’s computer.
Source: Microsoft Threat Intelligence
Citrine Street has been called Chollima by other investigators. Under that name, Kaspersky Labs found that it had infected the 3CX softphone app, targeting cryptocurrency investment startups using AppleJeus.
Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading