CyberLink supply chain intrusion by North Korean hackers
CyberLink installer compromise: the sophisticated operation of the Lazarus group
North Korean hacker group Lazarus attacked Taiwan's CyberLink company, spreading malware through altered company software. Microsoft detected the attack and notified affected users.
Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.
North Korean cybercriminals from the Lazarus group have managed to infiltrate the Taiwanese company CyberLink, which specializes in multimedia software. This unauthorized access allowed them to alter a software installer with the goal of spreading malware through a supply chain attack. According to the Microsoft Threat Intelligence Center, the threat linked to the compromised CyberLink installer was detected as early as October 20, 2023. When analyzing this attack, an international scope was observed, with more than 100 devices infected between Japan, Taiwan, Canada and the United States United.
Identifying the Diamond Sleet group behind the attack
Microsoft has highly confidently identified the Diamond Sleet group, already known by various names including ZINC, Labyrinth Chollima and Lazarus, as the perpetrator of this insidious supply chain attack. These attackers made use of a genuine code signing certificate, originally issued to CyberLink, to validate the malicious executable. This certificate was promptly included in the list of unauthorized certificates by Microsoft to prevent further malicious use of the same.
Analysis of the LambLoad malware
Technical analysis of the Trojanized software led to the identification of LambLoad, a malware downloader and loader. This payload is programmed to activate only on systems not protected by FireEye, CrowdStrike, or Tanium security software. In the absence of these, the malicious code continues to execute without activating the included malicious code. Otherwise, the malware connects with one of three command and control servers to receive a second-level payload, disguised inside a file that looks like a PNG image, using the static User-Agent "Microsoft Internet Explorer".
The modus operandi and consequences of the Lazarus attack
The Lazarus group, known for using similar methods in attacking legitimate cryptocurrency software, has not yet been observed by Microsoft in "direct keyboard activity" following LambLoad malware infections. However, the group has a track record of malicious activity, including stealing sensitive data, infiltrating software development environments, expanding attacks to downstream victims, and establishing persistent access to victims' environments. Microsoft has notified CyberLink of the supply chain attack and is notifying customers who use Microsoft Defender for Endpoint who have been affected by the attack.Follow us on Twitter for more pills like this