A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a Trojan version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack.
“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads the second-stage payload,” the Microsoft Threat Intelligence Team said in an analysis Wednesday.
The tech giant said the poisoned file is hosted on updated infrastructure owned by the company, while also including checks to limit the time frame for execution and bypass detection by security products.
The campaign is estimated to have affected more than 100 devices in Japan, Taiwan, Canada, and the US. Suspicious activity associated with a modified CyberLink installer file was observed as early as October 20, 2023.
The connection to North Korea stems from the fact that the second stage payload had established a connection with a command-and-control (C2) server that had previously been compromised by the threat actor.
Microsoft further said that it has seen attackers using trojanized open-source and proprietary software to target organizations in the information technology, defense and media sectors.
Diamond Sleet, which resembles the groups TEMP.Hermit and Labyrinth Chollima, is the nickname given to an umbrella group originating from North Korea also known as the Lazarus Group. It is known to have been active since at least 2013.
“Their operations since that time represent Pyongyang’s efforts to gather strategic intelligence to benefit North Korean interests,” Google-owned Mandiant said last month. “This actor targets government, defense, telecommunications, and financial institutions around the world.”
Interestingly, Microsoft said it did not detect any hands-on-keyboard activity on the targeted environment following the distribution of the compromised installer, which is codenamed Lambload.
The weaponized downloader and loader inspect the target system for the presence of security software from CrowdStrike, FireEye and Tanium, and if not present, fetch another payload from a remote server that masquerades as a PNG file.
“A PNG file contains an embedded payload inside a fake external PNG header, which is carved, decrypted, and launched into memory,” Microsoft said. After execution, the malware attempts to contact the legitimate-but-compromised domain to retrieve additional payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean threat actors to distribute malware as part of fictitious job interviews and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.
Last month, Microsoft also implicated Diamond Sleet in the exploitation of a critical security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8) to opportunistically breach vulnerable servers and deploy a backdoor known as ForestTiger.
The surge in software supply chain attacks conducted by North Korean threat actors – 3CX, MagicLine4NX, JumpCloud, and CyberLink – has also prompted a new advisory from South Korea and the U.K., which warned of the growing sophistication and frequency of such attacks, urging organizations to put security measures in place to reduce the likelihood of compromise.
“Actors have been observed taking advantage of zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminately access organizations through their supply chains,” the agencies said.
“These supply chain attacks […] significantly help meet broader DPRK-state priorities, including revenue generation, espionage, and theft of advanced technologies.”
