AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CyberLink supply chain intrusion by North Korean hackers

CyberLink installer compromise: the sophisticated operation of the Lazarus group

North Korean hacker group Lazarus attacked Taiwan's CyberLink company, spreading malware through altered company software. Microsoft detected the attack and notified affected users.

This pill is also available in Italian language

North Korean cybercriminals from the Lazarus group have managed to infiltrate the Taiwanese company CyberLink, which specializes in multimedia software. This unauthorized access allowed them to alter a software installer with the goal of spreading malware through a supply chain attack. According to the Microsoft Threat Intelligence Center, the threat linked to the compromised CyberLink installer was detected as early as October 20, 2023. When analyzing this attack, an international scope was observed, with more than 100 devices infected between Japan, Taiwan, Canada and the United States United.

Identifying the Diamond Sleet group behind the attack

Microsoft has highly confidently identified the Diamond Sleet group, already known by various names including ZINC, Labyrinth Chollima and Lazarus, as the perpetrator of this insidious supply chain attack. These attackers made use of a genuine code signing certificate, originally issued to CyberLink, to validate the malicious executable. This certificate was promptly included in the list of unauthorized certificates by Microsoft to prevent further malicious use of the same.

Analysis of the LambLoad malware

Technical analysis of the Trojanized software led to the identification of LambLoad, a malware downloader and loader. This payload is programmed to activate only on systems not protected by FireEye, CrowdStrike, or Tanium security software. In the absence of these, the malicious code continues to execute without activating the included malicious code. Otherwise, the malware connects with one of three command and control servers to receive a second-level payload, disguised inside a file that looks like a PNG image, using the static User-Agent "Microsoft Internet Explorer".

The modus operandi and consequences of the Lazarus attack

The Lazarus group, known for using similar methods in attacking legitimate cryptocurrency software, has not yet been observed by Microsoft in "direct keyboard activity" following LambLoad malware infections. However, the group has a track record of malicious activity, including stealing sensitive data, infiltrating software development environments, expanding attacks to downstream victims, and establishing persistent access to victims' environments. Microsoft has notified CyberLink of the supply chain attack and is notifying customers who use Microsoft Defender for Endpoint who have been affected by the attack.

Follow us on Threads for more pills like this

11/23/2023 12:51

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon