AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

CyberLink supply chain intrusion by North Korean hackers

CyberLink installer compromise: the sophisticated operation of the Lazarus group

North Korean hacker group Lazarus attacked Taiwan's CyberLink company, spreading malware through altered company software. Microsoft detected the attack and notified affected users.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

North Korean cybercriminals from the Lazarus group have managed to infiltrate the Taiwanese company CyberLink, which specializes in multimedia software. This unauthorized access allowed them to alter a software installer with the goal of spreading malware through a supply chain attack. According to the Microsoft Threat Intelligence Center, the threat linked to the compromised CyberLink installer was detected as early as October 20, 2023. When analyzing this attack, an international scope was observed, with more than 100 devices infected between Japan, Taiwan, Canada and the United States United.

Identifying the Diamond Sleet group behind the attack

Microsoft has highly confidently identified the Diamond Sleet group, already known by various names including ZINC, Labyrinth Chollima and Lazarus, as the perpetrator of this insidious supply chain attack. These attackers made use of a genuine code signing certificate, originally issued to CyberLink, to validate the malicious executable. This certificate was promptly included in the list of unauthorized certificates by Microsoft to prevent further malicious use of the same.

Analysis of the LambLoad malware

Technical analysis of the Trojanized software led to the identification of LambLoad, a malware downloader and loader. This payload is programmed to activate only on systems not protected by FireEye, CrowdStrike, or Tanium security software. In the absence of these, the malicious code continues to execute without activating the included malicious code. Otherwise, the malware connects with one of three command and control servers to receive a second-level payload, disguised inside a file that looks like a PNG image, using the static User-Agent "Microsoft Internet Explorer".

The modus operandi and consequences of the Lazarus attack

The Lazarus group, known for using similar methods in attacking legitimate cryptocurrency software, has not yet been observed by Microsoft in "direct keyboard activity" following LambLoad malware infections. However, the group has a track record of malicious activity, including stealing sensitive data, infiltrating software development environments, expanding attacks to downstream victims, and establishing persistent access to victims' environments. Microsoft has notified CyberLink of the supply chain attack and is notifying customers who use Microsoft Defender for Endpoint who have been affected by the attack.

Follow us on Twitter for more pills like this

11/23/2023 12:51

Editorial AI

Last pills

LockBit's response to FBI actionsLockBit's technological revenge: post-attack updates and awareness

LockBit's tenacious activity despite global investigationsChallenges and countermeasures in the war against the LockBit cyber criminal group

Avast fined for illegitimate sale of web dataFines and restrictions imposed on cybersecurity company for misuse of personal data

KeyTrap: DNSSEC flaw discovered by researchersThe vulnerability puts the stability of DNSSEC at risk