A North Korean state-sponsored menace actor tracked as Diamond Sleet is distributing a trojanized model of a legit software developed by a Taiwanese multimedia software program developer referred to as CyberLink to focus on downstream prospects by way of a provide chain assault.
“This malicious file is a legit CyberLink software installer that has been modified to incorporate malicious code that downloads, decrypts, and masses a second-stage payload,” the Microsoft Menace Intelligence crew stated in an evaluation on Wednesday.
The poisoned file, the tech big stated, is hosted on the up to date infrastructure owned by the corporate whereas additionally together with checks to restrict the time window for execution and bypass detection by safety merchandise.
The marketing campaign is estimated to have impacted over 100 units throughout Japan, Taiwan, Canada, and the U.S. Suspicious exercise related to the modified CyberLink installer file was noticed as early as October 20, 2023.
The hyperlinks to North Korea stem from the truth that the second-stage payload establishes connections with command-and-control (C2) servers beforehand compromised by the menace actor.
Microsoft additional stated it has noticed the attackers using trojanized open-source and proprietary software program to focus on organizations in data expertise, protection, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea that is additionally referred to as Lazarus Group. It is recognized to be lively since no less than 2013.
“Their operations since that point are consultant of Pyongyang’s efforts to gather strategic intelligence to profit North Korean pursuits,” Google-owned Mandiant famous final month. “This actor targets authorities, protection, telecommunications, and monetary establishments worldwide.”
Apparently, Microsoft stated it didn’t detect any hands-on-keyboard exercise on the right track environments following the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader examine the goal system for the presence of safety software program from CrowdStrike, FireEye, and Tanium, and if not current, fetch one other payload from a distant server that masquerades as a PNG file.
“The PNG file incorporates an embedded payload inside a pretend outer PNG header that’s, carved, decrypted, and launched in reminiscence,” Microsoft stated. Upon execution, the malware additional makes an attempt to contact a legitimate-but-compromised area for the retrieval of further payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean menace actors to distribute malware as a part of fictitious job interviews and procure unauthorized employment with organizations based mostly within the U.S. and different elements of the world.
Final month, Microsoft additionally implicated Diamond Sleet within the exploitation of a essential safety flaw in JetBrains TeamCity (CVE-2023-42793, CVSS rating: 9.8) to opportunistically breach weak servers and deploy a backdoor often called ForestTiger.
