Citrine Sleet | |
Other Names | AppleJeus |
Location | North Korea |
Date of initial activity | 2023 |
Suspected Attribution | State Sponsored Actors |
Government Affiliation | Bureau 121 of North Korea’s Reconnaissance General Bureau |
Motivation | Financial Gain |
Software | Windows |
Overview
Common targets
Finance and Insurance
Australia
Attack Vectors
Phishing
Software Vulnerabilities
How they operate
One of the central elements of Citrine Sleet’s technical operations is the exploitation of zero-day vulnerabilities. In August 2024, for example, the group leveraged the Chromium zero-day vulnerability CVE-2024-7971, a type confusion flaw in the V8 JavaScript engine. This vulnerability allowed them to gain remote code execution (RCE) within the Chromium browser’s sandboxed renderer process. By exploiting this flaw, Citrine Sleet bypassed browser-level security restrictions, enabling them to execute malicious code within the compromised system. This capability demonstrates the group’s technical expertise in identifying and exploiting vulnerabilities in widely used software, which is crucial for evading detection and achieving long-term persistence in their targets’ systems.
Once Citrine Sleet gained access to a target system through the Chromium exploit, the next phase of their attack involved deploying shellcode containing a Windows sandbox escape exploit. The group used CVE-2024-38106, a vulnerability in the Windows kernel, to break out of the sandbox and execute further malicious payloads. This stage allowed them to install their custom FudModule rootkit, which is designed to maintain persistence and avoid detection by traditional security mechanisms. The FudModule rootkit operates by hiding its presence on infected systems, ensuring that even if the malware is detected, it is difficult to fully remove without complete system reinstalls.
Citrine Sleet’s malware payloads are also tailored to target specific sectors, with cryptocurrency being the primary focus. Their custom malware, notably the AppleJeus trojan, is specifically crafted to steal sensitive information from cryptocurrency wallets and trading applications. Once installed, AppleJeus collects critical data, such as private keys, wallet information, and transaction histories, allowing the threat actor to seize control of the victim’s digital assets. The trojan typically masquerades as a legitimate cryptocurrency trading application, making it harder for victims to recognize the threat. By luring individuals and organizations into downloading these weaponized applications through social engineering tactics, Citrine Sleet successfully compromises high-value targets.
In addition to exploiting vulnerabilities and deploying malware, Citrine Sleet is also known for its use of fake websites and phishing campaigns. The group often sets up fraudulent cryptocurrency exchange sites or fake job offers to attract potential victims. These social engineering tactics are paired with malicious links or attachments that, once opened, deploy the malware. This combination of technical exploits and social engineering is highly effective in infiltrating organizations and stealing valuable assets. Citrine Sleet’s ability to blend technical sophistication with social manipulation makes it a formidable adversary, particularly within the high-stakes cryptocurrency environment.
To ensure the success of their operations, Citrine Sleet also uses sophisticated infrastructure, including command and control (C2) servers, which are used to maintain communication with compromised systems and exfiltrate stolen data. The group is known to use a combination of legitimate and obfuscated domains to avoid detection by network security solutions. The use of C2 servers allows them to control infected devices remotely, enabling further exploitation and data theft. This technical control over compromised systems gives Citrine Sleet a significant advantage in terms of persistence and operational flexibility.
The group’s operations are marked by a high level of adaptability. Citrine Sleet consistently updates its malware and exploitation techniques to bypass evolving cybersecurity defenses. For instance, after the identification of CVE-2024-7971, the group swiftly adapted its exploitation methods, demonstrating a dynamic and proactive approach to cyberattacks. This continuous evolution ensures that Citrine Sleet remains a persistent and evolving threat, particularly within the cryptocurrency sector, which continues to attract attention due to its high value and relative lack of regulatory oversight compared to traditional financial systems.
In conclusion, Citrine Sleet operates with a high degree of technical proficiency, leveraging zero-day vulnerabilities, custom malware, rootkits, and social engineering tactics to infiltrate targeted systems. Their ability to adapt and innovate in response to evolving security measures makes them a significant threat to cryptocurrency exchanges, financial institutions, and individuals within the industry. As cryptocurrency becomes an increasingly attractive target for state-sponsored actors like Citrine Sleet, organizations must remain vigilant and implement robust security measures to defend against such sophisticated cyber threats.
