A vulnerability on multiple web browsers was exploited by the Citrine Sleet threat actor to steal crypto from its victims, according to Microsoft.
A Microsoft report claims a North Korean threat actor has been exploiting a flaw in Chromium to steal cryptocurrency.
The company’s security blog attributed the exploitation of this bug “with medium confidence” to Citrine Sleet, a cyberattacker that primarily targets financial institutions – particularly those in the crypto sector – for financial gain. Microsoft said Citrine Sleet has been connected to North Korea’s Reconnaissance General Bureau.
The group has been observed exploiting a bug in the open-source browser project Chromium to infect victims with malware. This vulnerability could affect multiple web browsers, including Google Chrome and Microsoft Edge. A fix has been deployed for this “confusion vulnerability”, according to CISA.
Microsoft said Citrine Sleet creates fake websites that look like legitimate cryptocurrency trading platforms and then uses these sites to distribute fake job applications or lure targets into downloading a “weaponised cryptocurrency wallet or trading application”. The threat actor then deploys a unique trojan malware to collect information and steal the victim’s cryptocurrency assets.
The report suggests that there is a connection between this group and other North Korean threat actors, as the malware has been used by Diamond Sleet, another North Korean threat actor.
“Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors,” Microsoft said.
“Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation.”
Various US agencies and companies have attributed crypto hacks to North Korean threat actors. For example, the massive hack that saw more than $600m worth of cryptocurrency stolen from gaming-focused blockchain network Ronin was linked to North Korean hacker group Lazarus.
A report from Microsoft last year warned that Lazarus was spreading malware to more than 100 victims in multiple countries using a legitimate company installer.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.