North Korean Cybercriminals Leveraged Chrome Vulnerability to Commit Cryptocurrency Theft

Earlier in August, a North Korean cyber espionage unit leveraged an undiscovered Chrome vulnerability to attack organizations for cryptocurrency theft, as detailed by Microsoft.

A Friday report from Microsoft’s team of cybersecurity analysts revealed they detected the cyber operations on August 19. They identified these digital assaults as being orchestrated by Citrine Sleet, a unit with a history of cryptocurrency industry intrusions.

The group compromised a critical component within Chromium — the engine propelling Chrome and several widely used browsers such as Edge, according to Microsoft’s findings. At the time of the breach, it represented a zero-day vulnerability, meaning it was a previously undiscovered flaw, leaving Google, the developer, with no opportunity to remedy the issue before it was exploited. Microsoft accounts that Google remediated the flaw by August 21.

Scott Westover, a spokesperson for Google, while conversing with TechCrunch, only confirmed the patching of the flaw, offering no additional comments.

Microsoft has alerted those entities that were either targeted or compromised, although specifics regarding the number of victims or the nature of the targeted entities remain undisclosed.

Upon inquiry, Chris Williams, representing Microsoft, chose not to disclose the extent of organizations or companies that were compromised. 

The Microsoft researchers noted that Citrine Sleet, operating out of North Korea, predominantly preys on the financial sector, with a keen focus on cryptocurrency handlers for economic gains. The group has undertaken thorough investigations of the crypto industry and associated individuals through its social engineering schemes.

“Employing decoy cryptocurrency trading sites that mirror legitimate platforms, the threat group deceives its targets with counterfeit job offers or entices them to download malicious versions of genuine cryptocurrency wallets or trading apps,” the report describes. The group’s trademark malware, AppleJeus, plays a crucial role in infiltrating target systems to pilfer credentials needed to hijack cryptocurrency assets.

The cyberattack commences with luring a target to a malicious domain managed by the attackers. Leveraging another flaw within the Windows kernel, the attackers then install a rootkit to gain profound access to the victim’s system, Microsoft elucidated. This level of intrusion essentially spells a complete takeover of the victim’s data.

North Korean state hackers have long regarded cryptocurrency as a prime target. According to a United Nations Security Council report, the regime has expropriated $3 billion in digital currency between 2017 and 2023 to bolster its nuclear ambitions amidst severe international sanctions.