A North Korean state-sponsored risk actor tracked as Diamond Sleet is distributing a trojanized model of a official software developed by a Taiwanese multimedia software program developer referred to as CyberLink to focus on downstream clients by way of a provide chain assault.
“This malicious file is a official CyberLink software installer that has been modified to incorporate malicious code that downloads, decrypts, and hundreds a second-stage payload,” the Microsoft Risk Intelligence workforce stated in an evaluation on Wednesday.
The poisoned file, the tech big stated, is hosted on the up to date infrastructure owned by the corporate whereas additionally together with checks to restrict the time window for execution and bypass detection by security merchandise.
The marketing campaign is estimated to have impacted over 100 units throughout Japan, Taiwan, Canada, and the U.S. Suspicious exercise related to the modified CyberLink installer file was noticed as early as October 20, 2023.
The hyperlinks to North Korea stem from the truth that the second-stage payload establishes connections with command-and-control (C2) servers beforehand compromised by the risk actor.
Microsoft additional stated it has noticed the attackers using trojanized open-source and proprietary software program to focus on organizations in data expertise, protection, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea that is additionally referred to as Lazarus Group. It is identified to be energetic since not less than 2013.
“Their operations since that point are consultant of Pyongyang’s efforts to gather strategic intelligence to learn North Korean pursuits,” Google-owned Mandiant famous final month. “This actor targets authorities, protection, telecommunications, and monetary establishments worldwide.”
Curiously, Microsoft stated it didn’t detect any hands-on-keyboard exercise heading in the right direction environments following the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader examine the goal system for the presence of security software program from CrowdStrike, FireEye, and Tanium, and if not current, fetch one other payload from a distant server that masquerades as a PNG file.
“The PNG file incorporates an embedded payload inside a faux outer PNG header that’s, carved, decrypted, and launched in reminiscence,” Microsoft stated. Upon execution, the malware additional makes an attempt to contact a legitimate-but-compromised area for the retrieval of extra payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean risk actors to distribute malware as a part of fictitious job interviews and procure unauthorized employment with organizations based mostly within the U.S. and different components of the world.
Final month, Microsoft additionally implicated Diamond Sleet within the exploitation of a important security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS rating: 9.8) to opportunistically breach susceptible servers and deploy a backdoor generally known as ForestTiger.
