A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack.
“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” the Microsoft Threat Intelligence team said in an analysis on Wednesday.
The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products.
The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023.
The links to North Korea stem from the fact that the second-stage payload establishes connections with command-and-control (C2) servers previously compromised by the threat actor.
Microsoft further said it has observed the attackers utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea that’s also called Lazarus Group. It’s known to be active since at least 2013.
“Their operations since that time are representative of Pyongyang’s efforts to collect strategic intelligence to benefit North Korean interests,” Google-owned Mandiant noted last month. “This actor targets government, defense, telecommunications, and financial institutions worldwide.”
Interestingly, Microsoft said it did not detect any hands-on-keyboard activity on target environments following the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader inspects the target system for the presence of security software from CrowdStrike, FireEye, and Tanium, and if not present, fetches another payload from a remote server that masquerades as a PNG file.
“The PNG file contains an embedded payload inside a fake outer PNG header that is, carved, decrypted, and launched in memory,” Microsoft said. Upon execution, the malware further attempts to contact a legitimate-but-compromised domain for the retrieval of additional payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean threat actors to distribute malware as part of fictitious job interviews and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.
Last month, Microsoft also implicated Diamond Sleet in the exploitation of a critical security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8) to opportunistically breach vulnerable servers and deploy a backdoor known as ForestTiger.
The surge in software supply chain attacks conducted by North Korean threat actors – 3CX, MagicLine4NX, JumpCloud, and CyberLink – has also prompted a new advisory from South Korea and the U.K., which warned of the growing sophistication and frequency of such attacks, urging organizations to put security measures in place to reduce the likelihood of compromise.
“The actors have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminate organizations via their supply chains,” the agencies said.
“These supply chain attacks […] align and considerably help fulfill wider DPRK-state priorities, including revenue generation, espionage, and the theft of advanced technologies.”
Update
After The Hacker News reached out to CyberLink for further information, the company shared the following statement –
On 11/22/2023, we identified a malware issue in the installation file for one of our programs, Promeo. Upon discovery, our dedicated cybersecurity team immediately removed the bug and additional security measures were put in place to prevent this from happening again in the future.
We are committed to maintaining the highest standards of digital security and are taking this matter extremely seriously. Hence, as a precautionary measure, we made the decision to inspect the full lineup of CyberLink products (e.g., PowerDirector, PhotoDirector, PowerDVD) using trusted tools like Microsoft Defender, CrowdStrike, Symantec, TrendMicro, and Sophos software. We can confirm that none of the other programs were affected.
(The article was updated after publication to include information about an advisory issued by South Korea and the U.K. on North Korea-linked software supply chain attacks as well as a statement from CyberLink.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.