In an alarming series of cyberattacks, a North Korean hacking group known as Citrine Sleet exploited a zero-day vulnerability in Chromium-based browsers to steal cryptocurrency. The vulnerability, CVE-2024-7971, impacted popular browsers such as Google Chrome and Microsoft Edge and was swiftly patched by Google on August 21, 2024, following the initial discovery by Microsoft two days earlier.

The hacking group targeted organizations within the cryptocurrency industry by tricking victims into visiting malicious websites that were under the hackers’ control. Once the users interacted with these fake domains, the attackers exploited the Chromium vulnerability to gain remote code execution (RCE) in their browser.

The attackers then deployed the FudModule rootkit, a sophisticated malware that allows deep access to the Windows operating system. Microsoft’s analysis indicates a connection between Citrine Sleet and another North Korean threat actor known as Diamond Sleet, which had previously used similar malware.

Citrine Sleet is part of North Korea’s ongoing cyber strategy to target cryptocurrency firms and financial institutions for financial gain. According to Microsoft’s blog post, “The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms,” often luring victims into downloading weaponized crypto wallets. These fake apps are designed to give the attackers full access to the victims’ digital assets, allowing them to steal significant sums of cryptocurrency.

Between 2017 and 2023, North Korean hackers have allegedly stolen $3 billion worth of cryptocurrency, as pointed out by the Record. This stolen digital currency is used to fund the regime’s activities.

Google quickly responded to the discovery by issuing a patch to all Chromium browsers on August 21. Although the immediate threat was neutralized by the software update, the campaign highlights the growing risks of zero-day vulnerabilities and the lengths to which North Korean hackers will go to circumvent security measures.

The US government has also taken action, mandating federal agencies to patch this vulnerability by September 16, 2024. Meanwhile, Microsoft has notified affected users and continues to monitor the situation.

In a previous campaign, North Korean hackers leveraged a flaw in a VPN’s update mechanisms to spread malware.