The Rise of the FudModule Rootkit: A Deep Dive into the North Korean Cyberattack on Cryptocurrency Firms

A recent cyberattack carried out by a North Korean threat actor has shed light on the vulnerabilities present in Google’s Chromium browser. Microsoft uncovered the attack, which involved the deployment of the FudModule rootkit targeting cryptocurrency firms for financial gain.

The attack, orchestrated by the notorious group Citrine Sleet, exploited a zero-day vulnerability in Chromium tracked as CVE-2024-7971. This sophisticated operation aimed to infiltrate the cryptocurrency sector by using a type confusion vulnerability in the V8 JavaScript and WebAssembly engine in earlier versions of Chromium.

Citrine Sleet’s tactics began with social engineering, luring victims to a malicious domain where the zero-day exploit was executed, allowing for code execution within the sandboxed Chromium environment. Subsequently, the FudModule rootkit was deployed to establish a persistent backdoor access to compromised systems, enabling data theft and further malware deployment.

This rootkit, historically associated with the Lazarus Group, showcases advanced features such as kernel-level access through exploiting a zero-day vulnerability in the AppLocker driver. The rootkit’s evolution includes techniques like handle table entry manipulation, DKOM, and registry and object callback removal to evade detection and disable security mechanisms.

Microsoft has advised immediate system updates and the deployment of robust security solutions to mitigate the risks posed by such attacks. Educating employees on cybersecurity best practices, implementing network segmentation, and monitoring network traffic are also recommended to enhance overall security posture and reduce the likelihood of falling victim to similar cyber threats.