A North Korean state-sponsored threat actor tracked as Diamond Sleet distributed a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers through a supply chain attack.
“This malicious file is a legitimate CyberLink application installer modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” the Microsoft Threat Intelligence team SAYS in an analysis on Wednesday.
The poisoned file, the tech giant said, was hosted on updated infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection of security products.
The campaign is estimated to affect more than 100 devices across Japan, Taiwan, Canada, and the US Suspicious activity related to a modified CyberLink installer file was observed on October 20, 2023.
The North Korean links stem from the fact that the second-stage payload established connections to command-and-control (C2) servers that were previously compromised by the threat actor.
Microsoft also said it has observed attackers using trojanized open-source and proprietary software to target organizations in the information technology, defense, and media sectors.
Diamond Sleet, with groups called TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea also called the Lazarus Group. It is known to be active since 2013.
“Their operations since that time represent Pyongyang’s efforts to gather strategic intelligence to benefit North Korean interests,” Google-owned Mandiant said last month. “This actor targets government, defense, telecommunications, and financial institutions around the world.”
Interestingly, Microsoft said it did not detect any hands-on-keyboard activity in the target environments after distribution of the tampered installer, codenamed LambLoad.
The weaponized downloader and loader checks the target system for the presence of security software from CrowdStrike, FireEye, and Tanium, and if not, retrieves another payload from a remote server disguised as a PNG file.
“The PNG file contains an embedded payload inside a fake external PNG header that is, carved, decrypted, and launched in memory,” Microsoft said. Upon execution, the malware further attempts to contact a legitimate-but-compromised domain for obtaining additional payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean threat actors to distribute malware as part of fictitious job interviews and obtain unauthorized employment in organizations based in the US and other parts of the world.
Last month, Microsoft also implicated Diamond Sleet in exploiting a critical security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8) to gain access to vulnerable servers and install a backdoor known as ForestTiger.