Multiple North Korean threat actors are specifically targeting organizations and individuals in the cryptocurrency industry with both social engineering and exploitation of vulnerabilities, according to new warnings by Microsoft and the FBI.
Government-backed actors in North Korea have been focusing on cryptocurrency theft and laundering for many years and U.S. government officials have laid the blame for many large-scale intrusions at their feet, including the 2014 Sony hack, the Bangladesh Bank heist, and others. Those operations help finance the country’s military and other programs, and recently, some North Korean attackers have been running well-researched social engineering campaigns against people in the cryptocurrency field. In a new advisory, the FBI’s Internet Crime Complaint Center said those campaigns often take the form of fake job offers or investments.
“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network. Before initiating contact, the actors scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms,” the advisory says.
“North Korean malicious cyber actors incorporate personal details regarding an intended victim’s background, skills, employment, or business interests to craft customized fictional scenarios designed to be uniquely appealing to the targeted person. North Korean fake scenarios often include offers of new employment or corporate investment. The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others.”
These campaigns often involve the use of fake personas or impersonation of real people, along with realistic-looking websites and social media content.
In addition to using social engineering, one North Korean actor has been exploiting a zero day in Chromium to target cryptocurrency organizations and install a rootkit on compromised systems. The flaw that the group, known by Microsoft as Citrine Sleet, targeted is CVE-2024-7971, which is a type confusion bug.
“The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served,” Microsoft said in an analysis of the attacks.
“After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity.”
The FudModule rootkit has been used by other North Korean actors as well, specifically Diamond Sleet.