AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CyberLink supply chain intrusion by North Korean hackers

CyberLink installer compromise: the sophisticated operation of the Lazarus group

North Korean hacker group Lazarus attacked Taiwan's CyberLink company, spreading malware through altered company software. Microsoft detected the attack and notified affected users.

This pill is also available in Italian language

North Korean cybercriminals from the Lazarus group have managed to infiltrate the Taiwanese company CyberLink, which specializes in multimedia software. This unauthorized access allowed them to alter a software installer with the goal of spreading malware through a supply chain attack. According to the Microsoft Threat Intelligence Center, the threat linked to the compromised CyberLink installer was detected as early as October 20, 2023. When analyzing this attack, an international scope was observed, with more than 100 devices infected between Japan, Taiwan, Canada and the United States United.

Identifying the Diamond Sleet group behind the attack

Microsoft has highly confidently identified the Diamond Sleet group, already known by various names including ZINC, Labyrinth Chollima and Lazarus, as the perpetrator of this insidious supply chain attack. These attackers made use of a genuine code signing certificate, originally issued to CyberLink, to validate the malicious executable. This certificate was promptly included in the list of unauthorized certificates by Microsoft to prevent further malicious use of the same.

Analysis of the LambLoad malware

Technical analysis of the Trojanized software led to the identification of LambLoad, a malware downloader and loader. This payload is programmed to activate only on systems not protected by FireEye, CrowdStrike, or Tanium security software. In the absence of these, the malicious code continues to execute without activating the included malicious code. Otherwise, the malware connects with one of three command and control servers to receive a second-level payload, disguised inside a file that looks like a PNG image, using the static User-Agent "Microsoft Internet Explorer".

The modus operandi and consequences of the Lazarus attack

The Lazarus group, known for using similar methods in attacking legitimate cryptocurrency software, has not yet been observed by Microsoft in "direct keyboard activity" following LambLoad malware infections. However, the group has a track record of malicious activity, including stealing sensitive data, infiltrating software development environments, expanding attacks to downstream victims, and establishing persistent access to victims' environments. Microsoft has notified CyberLink of the supply chain attack and is notifying customers who use Microsoft Defender for Endpoint who have been affected by the attack.

Follow us on Twitter for more pills like this

11/23/2023 12:51

Editorial AI

Last pills

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat

Polyfill JS supply chain attack: what happenedA detailed analysis of the cyber attack that compromised a library essential for JavaScript compatibility in browsers