Crypto Users Targeted by North Korean Hackers: Zero-Days at Fault?

A hacking group related to North Korea is exploiting a zero-day in the Chromium browser to steal cryptocurrency.

Introduction

A zero-day vulnerability that has been recently patched by the developers of Google Chrome is being exploited by North Korean hackers to steal cryptocurrency.

According to The Hacker News, North Korea and especially its group of hackers called the Lazarus Group has already made it a habit to introduce zero-day vulnerabilities targeting the Windows ecosystem into its arsenal and a hacker group related to North Korea – the so-called “Lazarus Group” is now apparently trying to exploit a new zero-day vulnerability that allows hackers to bypass the restrictions set by the browser and remotely run code in the renderer of a browser. The North Korean hackers are smart and also combine the vulnerability with another exploit to make themselves able to trick people into downloading malicious cryptocurrency wallets.

The Attack

According to multiple sources, the zero-day vulnerability was exploited by North Korean hackers in the following way:

1. A nefarious party would set up a new website under a brand new domain (the domains would be usually registered in English.) The websites, in this case, are known to impersonate cryptocurrency trading platforms that would let users download infected digital wallets.
2. The website is setup to exploit the CVE-2024-7971 vulnerability that allows an attacker to remotely exploit the HEAP memory corruption vulnerability present in Chromium products.
3. The vulnerability, focusing on the Javascript V8 engine, attempted to execute JavaScript code that aims to pass an incompatible resource to the engine of Google Chrome, thus corrupting its memory.

As a result of the above three steps, North Korean hackers can monitor the crypto activity of a specific user who owns a digital wallet and steal their cryptocurrency when applicable. Hackers are also said to have combined this vulnerability with a vulnerability targeting the Windows kernel to install a rootkit called FudModule, which, according to some security researchers, is almost a unique signature of the Lazarus Group – a North Korean-sponsored hacking group.

The FudModule rootkit allows hackers affiliated with the Lazarus Group to exploit a security vulnerability in the Windows AppLocker (appid.sys) driver to turn off security measures and move further when harming the computer/server infrastructure of a potential victim.

Needless to say, please update all of your Chromium-based products ASAP. Only Chromium-based browsers are affected by this exploit, and the exploit manifests in all versions up until version 128.0.6613.84.

Summary

The Lazarus Group which is said to be affiliated to North Korea is said to be setting up websites posing as real crypto exchanges that lets users download infected digital wallets, then steal the cryptocurrency stored on those wallets. Keep your software and especially your browsers up to date – and if you need an answer to the question of why, read this blog once again.

Frequently Asked Questions

What is the Lazarus Group?

The Lazarus Group is said to be a group of hackers consisting of an unknown number of individuals. The Lazarus Group is said to be subordinate to the North Korean government and is said to be active from the 2010s.

What Versions of Chromium Products Are Affected by This Security Vulnerability?

All versions of Chromium-based browsers up until version 128.0.6613.84 are affected by this security vulnerability. Please upgrade your Chromium browsers ASAP.

Do I Need to Worry About My Crypto Wallet?

If your Chromium browser is up to date, you don’t log in to unknown websites, don’t click on suspicious links, and keep your mnemonics and private keys safe, most likely not. Regardless, it is advisable to follow security practices whatever happens.