22 December 2024

North Korean Hackers Exploit Chrome Zero-Day Vulnerability to Steal Cryptocurrency

North Korean hackers exploited a Chrome zero-day vulnerability to steal cryptocurrency, targeting organizations in the crypto industry.

In August 2023, a North Korean hacking group known as Citrine Sleet exploited a previously undisclosed vulnerability in Chrome-based browsers to target organizations with the intent of stealing cryptocurrency, according to a report by Microsoft.

Microsoft's cybersecurity researchers first detected the hackers' activities on August 19. The group, Citrine Sleet, is notorious for its focus on the cryptocurrency sector. The hackers took advantage of a zero-day flaw in the Chromium engine, which is the foundation for Chrome and other popular browsers, including Microsoft Edge. This vulnerability was unknown to Google at the time of the attack, leaving them with no opportunity to issue a patch before it was exploited. Google addressed the issue just two days later, on August 21.

Scott Westover, a spokesperson for Google, confirmed to TechCrunch that the bug has been patched but did not provide further comments.

Microsoft has reached out to customers who were targeted or compromised but has not disclosed specific details about the victims or the extent of the attack. Chris Williams, a Microsoft spokesperson, declined to specify how many organizations were affected.

The report indicates that Citrine Sleet is based in North Korea and primarily focuses on financial institutions, particularly those involved in cryptocurrency management. The group has conducted thorough reconnaissance of the cryptocurrency landscape and its key players as part of their social engineering strategies.

Citrine Sleet employs tactics such as creating counterfeit websites that mimic legitimate cryptocurrency trading platforms. They use these sites to distribute fraudulent job applications or entice victims into downloading malicious cryptocurrency wallets or trading applications disguised as legitimate software. The group often utilizes a unique trojan malware called AppleJeus, which is designed to gather information necessary for seizing control of victims' cryptocurrency assets.

The attack process begins with tricking victims into visiting a domain controlled by the hackers. Subsequently, by exploiting another vulnerability in the Windows kernel, the hackers can install a rootkit on the victim's computer. A rootkit is a type of malware that provides deep access to the operating system, effectively giving the hackers complete control over the compromised device.

Cryptocurrency has been a lucrative target for North Korean hackers for several years. A United Nations Security Council panel reported that the regime stole approximately $3 billion in cryptocurrency between 2017 and 2023. Faced with stringent international sanctions, the Kim Jong Un government has increasingly resorted to cryptocurrency theft to finance its nuclear weapons program.