North Korean threat operation Citrine Sleet, which is believed to be a Lazarus Group sub-cluster, has launched attacks exploiting the recently patched high-severity type confusion zero-day impacting Chromium-based browsers' V8 engine, tracked as CVE-2024-7971, to enable FudModule rootkit distribution, reports The Hacker News.
Social engineering schemes have been leveraged by Citrine Sleet — also known as Labyrinth Chollima, AppleJeus, UNC4736, and Nickel Academy — to lure targets into visiting a website that triggered the exploit, which enables not only the deployment of the rootkit but also of a shellcode for the Windows kernel privilege escalation vulnerability, tracked as CVE-2024-38106, according to a report from the Microsoft Threat Intelligence team. "This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," said researchers. Such a development comes after Windows driver privilege escalation flaws, tracked as CVE-2024-21338 and CVE-2024-38193, have been used by North Korean hackers for FudModule rootkit delivery.
