The report added that the FudModule rootkit was historically shared between Citrine Sleet and Diamond Sleet (formerly Zinc), another North Korean threat actor known for targeting the media, defense, and technology (IT) industries around the world.
RCE to deliver FudModule
The report explained that the victims were directed to the voyagerclub controlled by Citrine Sleet.[.]space. Although the exact method used to target victims is unknown, Social Engineering is suspected to be a common method used by Citrine Sleet. Once the target is connected to the domain, the zero-day RCE exploit for CVE-2024-7971 is accessed.
“After the RCE implementation achieved code execution in the sandboxed process of the Chromium renderer, the shellcode containing the Windows sandbox escape and the FudModule rootkit was downloaded, and loaded into memory,” Microsoft added in the report.
Source link