North Korean hackers have been blamed for a sophisticated supply chain campaign in which they compromised legitimate multimedia software to distribute malware to its users.
Microsoft attributed the attacks, which have impacted over 100 devices in countries including Japan, Taiwan, Canada and the US, to the Diamond Sleet (aka Lazarus, Hidden Cobra) group.
It targeted Taiwanese multimedia software developer CyberLink, trojanizing one of its software installers in order to distribute the LambLoad downloader.
“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” Microsoft explained.
“The file, which was signed using a valid certificate issued to CyberLink, is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.”
LambLoad first checks that the targeted machine isn’t running FireEye, CrowdStrike or Tanium products before attempting to contact one of three URLs to download the second-stage payload. This is embedded inside a file masquerading as a PNG file using the static User-Agent “Microsoft Internet Explorer,” Microsoft said.
The Redmond giant explained that the command-and-control (C2) infrastructure that this secondary payload tries to communicate with has previously been compromised by Diamond Sleet.
Although it’s unclear what happens after malware compromise, Microsoft warned that the APT group has in the past exfiltrated sensitive data, compromised software build environments, moved downstream to exploit additional victims and established persistent access to these victim environments.