A North Korean state-sponsored risk actor tracked as Diamond Sleet is distributing a trojanized model of a legit software developed by a Taiwanese multimedia software program developer known as CyberLink to focus on downstream clients through a provide chain assault.
“This malicious file is a legit CyberLink software installer that has been modified to incorporate malicious code that downloads, decrypts, and masses a second-stage payload,” the Microsoft Risk Intelligence staff stated in an evaluation on Wednesday.
The poisoned file, the tech big stated, is hosted on the replace infrastructure owned by the corporate whereas additionally together with checks to restrict the time window for execution and bypass detection by safety merchandise.
The marketing campaign is estimated to have impacted over 100 gadgets throughout Japan, Taiwan, Canada, and the U.S. Suspicious exercise related to the modified CyberLink installer file was noticed as early as October 20, 2023.
The hyperlinks to North Korea stem from the truth that the second-stage payload establishes connections with command-and-control (C2) servers beforehand compromised by the risk actor.
Microsoft additional stated it has noticed the attackers using trojanized open-source and proprietary software program to focus on organizations in data expertise, protection, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea that is additionally known as Lazarus Group. It is identified to be energetic since a minimum of 2013.
“Their operations since that point are consultant of Pyongyang’s efforts to gather strategic intelligence to learn North Korean pursuits,” Google-owned Mandiant famous final month. “This actor targets authorities, protection, telecommunications, and monetary establishments worldwide.”
Apparently, Microsoft stated it didn’t detect any hands-on-keyboard exercise heading in the right direction environments following the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader inspects the goal system for the presence of safety software program from CrowdStrike, FireEye, and Tanium, and if not current, fetches one other payload from a distant server that masquerades as a PNG file.
“The PNG file comprises an embedded payload inside a faux outer PNG header that’s, carved, decrypted, and launched in reminiscence,” Microsoft stated. Upon execution, the malware additional makes an attempt to contact a legitimate-but-compromised area for the retrieval of further payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean risk actors to distribute malware as a part of fictitious job interviews and procure unauthorized employment with organizations based mostly within the U.S. and different elements of the world.
Final month, Microsoft additionally implicated Diamond Sleet within the exploitation of a vital safety flaw in JetBrains TeamCity (CVE-2023-42793, CVSS rating: 9.8) to opportunistically breach susceptible servers and deploy a backdoor often known as ForestTiger.
The surge in software program provide chain assaults performed by North Korean risk actors – 3CX, MagicLine4NX, JumpCloud, and CyberLink – has additionally prompted a brand new advisory from South Korea and the U.Ok., which warned of the rising sophistication and frequency of such assaults, urging organizations to place safety measures in place to scale back the chance of compromise.
“The actors have been noticed leveraging zero-day vulnerabilities and exploits in third-party software program to achieve entry to particular targets or indiscriminate organizations through their provide chains,” the businesses stated.
“These provide chain assaults […] align and significantly assist fulfill wider DPRK-state priorities, together with income era, espionage, and the theft of superior applied sciences.”
After The Hacker Information reached out to CyberLink for additional data, the corporate shared the next assertion –
On 11/22/2023, we recognized a malware subject within the set up file for considered one of our packages, Promeo. Upon discovery, our devoted cybersecurity staff instantly eliminated the bug and extra safety measures had been put in place to stop this from taking place once more sooner or later.
We’re dedicated to sustaining the very best requirements of digital safety and are taking this matter extraordinarily severely. Therefore, as a precautionary measure, we made the choice to examine the complete lineup of CyberLink merchandise (e.g., PowerDirector, PhotoDirector, PowerDVD) utilizing trusted instruments like Microsoft Defender, CrowdStrike, Symantec, TrendMicro, and Sophos software program. We are able to verify that not one of the different packages had been affected.
(The article was up to date after publication to incorporate details about an advisory issued by South Korea and the U.Ok. on North Korea-linked software program provide chain assaults in addition to an announcement from CyberLink.)