A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized variation of a authentic software developed by a Taiwanese multimedia software developer referred to as CyberLink to focus on downstream clients via a source chain attack.
“This malicious file is a legitimate CyberLink software installer that has been modified to include things like destructive code that downloads, decrypts, and masses a next-phase payload,” the Microsoft Danger Intelligence workforce said in an examination on Wednesday.
The poisoned file, the tech giant claimed, is hosted on the up-to-date infrastructure owned by the company while also such as checks to restrict the time window for execution and bypass detection by security products and solutions.
The marketing campaign is approximated to have impacted in excess of 100 devices throughout Japan, Taiwan, Canada, and the U.S. Suspicious action associated with the modified CyberLink installer file was noticed as early as Oct 20, 2023.
The hyperlinks to North Korea stem from the actuality that the second-stage payload establishes connections with command-and-control (C2) servers previously compromised by the threat actor.
Microsoft even further reported it has noticed the attackers making use of trojanized open-resource and proprietary software package to concentrate on businesses in info technology, protection, and media sectors.
Diamond Sleet, which dovetails with clusters dubbed TEMP.Hermit and Labyrinth Chollima, is the moniker assigned to an umbrella team originating from North Korea that is also identified as Lazarus Team. It can be identified to be energetic considering that at minimum 2013.
“Their functions since that time are consultant of Pyongyang’s attempts to acquire strategic intelligence to benefit North Korean interests,” Google-owned Mandiant famous past month. “This actor targets govt, defense, telecommunications, and financial institutions worldwide.”
Curiously, Microsoft explained it did not detect any arms-on-keyboard exercise on concentrate on environments pursuing the distribution of the tampered installer, which has been codenamed LambLoad.
The weaponized downloader and loader examine the focus on process for the existence of security application from CrowdStrike, FireEye, and Tanium, and if not current, fetch yet another payload from a distant server that masquerades as a PNG file.
“The PNG file contains an embedded payload within a pretend outer PNG header that is, carved, decrypted, and introduced in memory,” Microsoft explained. On execution, the malware further more attempts to make contact with a genuine-but-compromised domain for the retrieval of extra payloads.
The disclosures arrive a working day right after Palo Alto Networks Unit 42 uncovered twin campaigns architected by North Korean menace actors to distribute malware as portion of fictitious job interviews and get unauthorized employment with organizations based in the U.S. and other pieces of the globe.
Previous thirty day period, Microsoft also implicated Diamond Sleet in the exploitation of a critical security flaw in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8) to opportunistically breach susceptible servers and deploy a backdoor recognized as ForestTiger.
Discovered this short article interesting? Abide by us on Twitter and LinkedIn to read through extra special material we post.
Some parts of this article are sourced from:
thehackernews.com