Labyrinth Chollima: Cryptoheists and Zero Days

An ABCbyD Threat Actor Profile

Following a special request from one of our most dedicated readers, we’re veering off our three-parter MITRE discussion to uncover the story behind one of the most enigmatic and persistent threats in the cyber world—Labyrinth Chollima, a.k.a. Citrine Sleet. 

These North Korean attackers have made a name for themselves, especially with their latest zero day, and today, we’re pulling back the curtain on who they are, what they do, and how you can defend against them.

Note, threat actors go by many different names. As a former CrowdStriker, I tend to use CrowdStrike nomenclature “Descriptor & Animal” (group & country of origin), more on this later.

The Latest Strike: Exploiting CVE-2024-7971

Let’s kick things off with their most recent exploit: the zero-day vulnerability in the Chromium browser, known in the cyber circles as CVE-2024-7971. If you’ve been in the cybersecurity game long enough, you know that zero-days are the crown jewels for threat actors—unpatched, unguarded, and ready to be exploited. 

This particular zero-day was a type confusion vulnerability in the V8 JavaScript engine, the heart of Chrome’s processing power. In non-cyber/tech speak, this flaw allowed malicious code to slip past defenses, leading to remote code execution (RCE) on unpatched systems. RCE is about as bad as it gets. These vulnerabilities allow attackers to run commands within a vulnerable application, and are almost always critical.

The attack vector? A seemingly innocuous domain, voyagorclub[.]space, was the hunting ground where unsuspecting victims were lured and swiftly compromised.

Once inside, Labyrinth Chollima dropped the FudModule rootkit, a piece of malware that disrupts kernel security mechanisms. This rootkit is the digital equivalent of a burglar bypassing your home alarm and setting up camp in your basement, all without you knowing. With the FudModule in place, the attackers gained persistent access, pilfering sensitive data and laying the groundwork for further infiltration.

Dissecting the Attack: How It Went Down

Let’s break down how this attack unfolded:

1. Initial Access: The attackers targeted users with a phishing campaign, directing them to voyagorclub[.]space. This site, loaded with the exploit, would execute the attack as soon as the victim landed on the page.

2. Exploit Execution: The zero-day in the V8 engine was exploited to run malicious code, bypassing browser security.

3. Persistence Establishment: After gaining a foothold, the FudModule rootkit was deployed, allowing the attackers to disable security mechanisms and maintain long-term access.

4. Data Exfiltration: With full control over the compromised systems, the attackers exfiltrated sensitive data, using encrypted channels to avoid detection.

5. Covering Tracks: The FudModule helped them stay hidden, ensuring the victim’s systems remained compromised long enough to complete their objectives.

Who Is Labyrinth Chollima?

Now, onto the masterminds behind this digital heist. Labyrinth Chollima (aka Citrine Sleet, AppleJeus, and Hidden Cobra) is a North Korean state-sponsored hacking group with a well-documented history of cyber espionage and financial theft. They operate under the umbrella of Bureau 121, the cyber warfare division of North Korea’s Reconnaissance General Bureau.

Most threat intelligence associate names to nation-state adversary groups, making them both memorable and easier to categorize. Labyrinth Chollima (winged horse), like its mythical namesake, is tricky, elusive, and agile, and has been active for years.

A History of High-Profile Attacks

Let’s take a stroll down memory lane and look at two of the most significant attacks attributed to Labyrinth Chollima.

1. Operation AppleJeus (2018-Present): This series of attacks marked a significant shift in North Korea’s cyber operations. 

   • Instead of traditional bank heists, Labyrinth Chollima targeted cryptocurrency exchanges. 

   • The AppleJeus Trojan, disguised as legitimate cryptocurrency trading software, was their weapon of choice. Once installed, it allowed them to steal credentials and drain cryptocurrency wallets. 

   • This operation was highly successful, netting them millions of dollars to fund the regime. The AppleJeus Trojan is a perfect example of how these threat actors innovate, staying ahead of the curve by adapting to new financial technologies.

2. The Bithumb Heist (2018): Before AppleJeus, there was the Bithumb attack. 

   • Bithumb, one of South Korea’s largest cryptocurrency exchanges, was hit hard by Labyrinth Chollima, resulting in the theft of $31 million in cryptocurrency. 

   • This attack highlighted the vulnerability of cryptocurrency exchanges to state-sponsored actors and set the stage for future operations like AppleJeus. 

   • The Bithumb attack wasn’t just about the money; it was a statement—a warning to the world that North Korea’s cyber capabilities were maturing.

The Tools of the Trade: FudModule and AppleJeus

Let’s dig into the tools that make Labyrinth Chollima such a formidable adversary.

FudModule: This rootkit is a nefarious masterpiece. It works by altering the Windows kernel, making it almost impossible for standard security tools to detect the malware’s presence. This allows the attackers to operate undetected, exfiltrating data and carrying out further attacks. Rootkits like FudModule is what makes Labyrinth Chollima so dangerous and is what allows them to persist inside environments for months completely undetected.

AppleJeus Trojan: Disguised as a legitimate cryptocurrency application, AppleJeus is the digital equivalent of a Trojan horse. It infiltrates systems under the guise of being helpful software, but once inside, it collects critical data, including private keys and login credentials, which are then used to siphon off funds. The AppleJeus Trojan is a prime example of how Labyrinth Chollima has evolved from traditional cyber espionage to targeting modern financial systems.

Defending Against Labyrinth Chollima: What You Can Do

So, how can you protect your organization against such a sophisticated threat? Here are a few key steps:

1. Patch Management: First and foremost, apply patches as soon as they’re released. Google’s rapid response to CVE-2024-7971 with a patch on August 21, 2024, is a prime example of why timely updates are crucial. Unpatched systems open doors for threat actors like Labyrinth Chollima.

2. Advanced Threat Detection: Deploy security solutions that offer unified visibility across your network. This includes tools that can detect lateral movement and post-compromise activity. 

3. Multi-Factor Authentication (MFA): Implement MFA across all sensitive accounts. This adds an additional layer of security, making it harder for attackers to gain access even if they manage to steal credentials.

4. User Education: Educate your employees about the risks of phishing and social engineering. Labyrinth Chollima often uses these tactics to gain initial access, so awareness is your first line of defense.

5. Incident Response Planning: Have a robust incident response plan in place. This should include regular drills and updates to ensure your team can respond quickly and effectively in the event of an attack.

Another Zero Day, The Same Problems

We cannot defend against zero days, but we can take actionable steps to increase our resilience against threat actors. Following the above steps is a great start. I’ve also included a few links (and if you’re interested a JSON file) to use as we defend ourselves against the rising tide of cyber threats.

Noted in a previous blog, the MITRE ATT&CK Navigator is a great, free way to threat model against a threat like Labyrinth Chollima. 

• Check it out here: https://mitre-attack.github.io/attack-navigator/ 

• I’ve included a list of MITRE Tactics and Techniques in the Reference section if you’d like to try it out yourself, and have a sharable JSON you can map to the ATT&CK Navigator (comment on this post if you’d like it).

Thank you for joining me on this deep dive into the world of Labyrinth Chollima. 

Stay secure and stay curious!

Damien

Reference:

MITRE TTPs:

T1566.001 - Spear Phishing: Attachment

T1566.002 - Spear Phishing: Link

T1071.001 - Application Layer Protocol: Web Protocols

T1071.004 - Application Layer Protocol: DNS

T1199 - Trusted Relationship

T1133 - External Remote Services

T1568 - Dynamic Resolution

T1078.003 - Valid Accounts: Local Accounts

T1499.002 - Endpoint Denial of Service

T1490 - Inhibit System Recovery

T1218 - Signed Binary Proxy Execution

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder

T1070.004 - Indicator Removal on Host: File Deletion

1. The Record. (2024). Suspected North Korean hackers targeted crypto industry with Chromium zero-day.

2. BleepingComputer. (2024). North Korean hackers exploited a Chrome zero-day to deploy the FudModule rootkit.

3. TechCrunch. (2024). North Korean hackers exploited a Chrome zero-day to steal cryptocurrency.