North Korean Hackers Exploit Chrome Flaw to Steal Cryptocurrencies

Highlights:

• North Korean hackers exploit Chrome’s zero-day flaw to steal crypto assets.
• Google fixed the vulnerability on August 21; users should update their browsers.
• The hacking group was identified as Citrine Sleet, notorious for targeting the crypto industry.

According to a report published on August 30 by Microsoft’s cybersecurity team, a group of North Korean hackers known as the “Citrine Sleet” exploited a previous flaw in Google Chrome to steal cryptocurrency from people. 

🇰🇵 North Korean hackers exploited a zero-day flaw in Chrome to steal crypto – Google patched the bug on Aug 21

They stole $3B in crypto from 2017 to 2023 🤯

Hacker group creates fake websites masquerading as legitimate crypto trading platforms and uses them to distribute fake… pic.twitter.com/tIHiKOsOMF

— Rektology (@rektlogy) August 30, 2024

Microsoft first identified the cyberattack on August 19, when hackers exploited a vulnerability in the Chromium engine, the core code for Chrome and other popular browsers like Microsoft Edge. This type of flaw is known as a “Zero-day,” meaning Google was unaware of the issue and had no time to fix it before exploitation.

The team identified Citrine Sleet with “medium confidence.” The group targets the cryptocurrency sector and developed the AppleJeus trojan malware, also used by the Lazarus Group. This software is often disguised as job applications or crypto wallets. Once installed, it gives hackers control over the victim’s device, enabling them to steal cryptocurrency.

Google fixed this flaw on August 21, two days after Microsoft alerted them, so users should update their browsers. Microsoft has notified affected customers but has not disclosed how many organizations or individuals were affected by the attack.

How North Korean Gang Exploits Chrome

This was the third patched vulnerability of this type in Chromium this year. The hackers employed FudModule rootkit malware to gain remote code execution. The group then typically installed AppleJeus to collect information needed to control the target’s crypto assets. Chrome versions before 128.0.6613.84 are vulnerable to this attack.

The report stated:

“The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.” 

Citrine Sleet was first detected in December 2022, when Microsoft named it DEV-0139. At that time, it created fake identities on Telegram, posing as OKX cryptocurrency exchange employees. Targets were asked to evaluate an Excel document with accurate information on various exchanges’ fee structures. The document also contained a malicious file that created a backdoor into their computer.

Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet. https://t.co/ITqOQpWn2v

— Microsoft Threat Intelligence (@MsftSecIntel) August 30, 2024

Investigators have also referred to Citrine Sleet as Chollima. Under this name, Kaspersky Labs discovered that it had compromised the 3CX softphone app, targeting cryptocurrency investment startups with AppleJeus.

Korean Hackers & Crypto Theft

In recent years, North Korean hackers have increasingly targeted the cryptocurrency sector. The United Nations Security Council estimates that between 2017 and 2023, they stole $3 billion in cryptocurrency. These cybercriminals have grown more sophisticated, frequently employing advanced techniques to exploit vulnerabilities in cryptocurrency exchanges and financial platforms.

North Korean hacking groups, including the notorious Lazarus Group, have been associated with several high-profile cryptocurrency heists. They often use the stolen funds to evade international sanctions and support the country’s regime. The stolen cryptocurrency is usually laundered through multiple channels, which complicates tracing and recovery efforts. Their growing activity presents a serious threat to the global financial system and has led to enhanced security measures across the cryptocurrency industry.