Citrine Sleet leverages social engineering schemes to lure targets to websites.
The hacker group Citrine Sleet, believed to be a sub-cluster of the North Korean Lazarus Group threat operation, has launched attacks exploiting a recently patched CVE-2024-7971.
According to The Hacker News, the vulnerability can enable FudModule rootkit distribution.
Citrine Sleet — also known as Labyrinth Chollima, AppleJeus, UNC4736, and Nickel Academy - have leveraged social engineering schemes to lure targets into visiting a website that triggered the exploit, which enables not only the deployment of the rootkit, but also a shellcode for the Windows kernel privilege escalation vulnerability CVE-2024-38106.
The Microsoft Threat Intelligence team said this may suggest a 'bug collision’, where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors, according to researchers.
Such a development comes after Windows driver privilege escalation flaws, tracked as CVE-2024-21338 and CVE-2024-38193, have been used by North Korean hackers for FudModule rootkit delivery.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
