Researchers at Microsoft Threat Intelligence have revealed details of a supply chain attack by a North Korean-based threat actor using a malicious variant of an application developed by CyberLink Corp., a Taiwanese software company that develops multimedia software products.

The threat actor, called Diamond Sleet by Microsoft but far better known in the cybersecurity industry as Lazarus, involves a modified installer for a CyberLink application being used as a conduit for distributing malware. The compromised installer, while appearing legitimate and signed with a valid CyberLink certificate, conceals malicious code designed to download and execute a secondary payload.

The malware, dubbed LambLoad, acts as both a downloader and a loader. The malware is programmed to check the system’s date and time before launching any malicious activities, ensuring it operates within a preconfigured execution period.

LambLoad targets corporate environments that do not have security software from companies such as FireEye Inc., CrowdStrike Holdings Inc. and Tanium Inc. If security processes from such companies are detected, the malware aborts its malicious operations and allows the legitimate CyberLink software to run unimpeded. The level of sophistication in evading detection is said to highlight the increasing complexity of modern cyberthreats.

The researchers found more than 100 devices across multiple countries, including Japan, Taiwan, Canada and the United States that have been affected by the malicious installer since it was first observed on Oct. 20. Although the researchers have so far not identified any direct, hands-on-keyboard activity post-compromise, the potential for data exfiltration, further downstream attacks and persistent access to victim environments remains a significant concern.

Microsoft has taken steps to protect its customers from the risk, including notifying affected Microsoft Defender for Endpoint users, reporting the attack to GitHub to remove the second-stage payload in compliance with GitHub’s policies, and adding the compromised CyberLink certificate to its disallowed list. Microsoft Defender for Endpoint and Microsoft Defender Antivirus have been updated to detect and mitigate this threat.

The Lazarus Group has an extensive track record of targeting potential victims. The group is best known for being behind the spread of the WannaCry ransomware in 2017 but has regularly popped up since then. Previous campaigns include Lazarus targeting Linux systems in December 2019. Lazarus was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular “Axie Infinity” game.

Image: DALL-E 3