A North Korean hacking group exploited a previously unknown vulnerability in Google Chrome earlier this month to target cryptocurrency organisations, according to Microsoft security researchers.
The zero-day flaw, identified as CVE-2024-7971, allowed remote code execution in Chrome’s V8 JavaScript engine. Google released a fix on August 21, 2024, but not before it was used in attacks attributed to a threat actor known as Citrine Sleet.
Microsoft’s Threat Intelligence team discovered the exploit activity on August 19. They assessed with high confidence that a North Korean group was behind the attacks, which aimed to steal cryptocurrency and financial assets.
Google confirmed the vulnerability was patched but declined further comment, as reported by TechCrunch.
The hackers directed targets to a malicious domain, voyagorclub[.]space, likely using social engineering tactics. When victims connected, the Chrome exploit was delivered, followed by a Windows kernel exploit (CVE-2024-38106) to escape the browser sandbox. This allowed deployment of a rootkit called FudModule.
Citrine Sleet, also known as AppleJeus and Labyrinth Chollima, has a history of targeting the cryptocurrency sector through fake websites, job offers, and trojanized crypto applications. The group is believed to operate under North Korea’s Reconnaissance General Bureau.
“North Korean actors will likely continue targeting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” Microsoft researchers stated.
The exploit chain relied on multiple components, including the Chrome flaw and Windows kernel vulnerability. Microsoft released a fix for CVE-2024-38106 on August 13, before discovering the North Korean activity.
To mitigate risks, users should update Chrome to version 128.0.6613.84 or later and apply the latest Windows security patches. Microsoft also recommends enabling security features in Microsoft Defender and other endpoint protection products.