A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack.
“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” the Microsoft Threat Intelligence team said in an analysis on Wednesday.
The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products.
The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023.
The links to North Korea stem from the fact that the second-stage payload establishes connections with command-and-control (C2) servers previously compromised by the threat actor.
Microsoft further said it has observed the attackers utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella group originating from North Korea that’s also called Lazarus Group. It’s known to be active since at least 2013.
“Their operations since that time are representative of Pyongyang’s efforts to collect strategic intelligence to benefit North Korean interests,” Google-owned Mandiant noted last month. “This actor targets government, defense, telecommunications, and financial institutions worldwide.”
Interestingly, Microsoft said it did not detect any hands-on-keyboard activity on target environments following the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader inspect the target system for the presence of security software from CrowdStrike, FireEye, and Tanium, and if not present, fetch another payload from a remote server that masquerades as a PNG file.
“The PNG file contains an embedded payload inside a fake outer PNG header that is, carved, decrypted, and launched in memory,” Microsoft said. Upon execution, the malware further attempts to contact a legitimate-but-compromised domain for the retrieval of additional payloads.
The disclosures come a day after Palo Alto Networks Unit 42 revealed twin campaigns architected by North Korean threat actors to distribute malware as part of fictitious job interviews and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.
Last month, Microsoft also implicated Diamond Sleet in the exploitation of a critical security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8) to opportunistically breach vulnerable servers and deploy a backdoor known as ForestTiger.