UPDATED 18:38 EST / NOVEMBER 22 2023

SECURITY

CyberLink targeted in supply chain attack by infamous Lazarus hacking group

Researchers at Microsoft Threat Intelligence have revealed details of a supply chain attack by a North Korean-based threat actor using a malicious variant of an application developed by CyberLink Corp., a Taiwanese software company that develops multimedia software products.

The threat actor, called Diamond Sleet by Microsoft but far better known in the cybersecurity industry as Lazarus, involves a modified installer for a CyberLink application being used as a conduit for distributing malware. The compromised installer, while appearing legitimate and signed with a valid CyberLink certificate, conceals malicious code designed to download and execute a secondary payload.

The malware, dubbed LambLoad, acts as both a downloader and a loader. The malware is programmed to check the system’s date and time before launching any malicious activities, ensuring it operates within a preconfigured execution period.

LambLoad targets corporate environments that do not have security software from companies such as FireEye Inc., CrowdStrike Holdings Inc. and Tanium Inc. If security processes from such companies are detected, the malware aborts its malicious operations and allows the legitimate CyberLink software to run unimpeded. The level of sophistication in evading detection is said to highlight the increasing complexity of modern cyberthreats.

The researchers found more than 100 devices across multiple countries, including Japan, Taiwan, Canada and the United States that have been affected by the malicious installer since it was first observed on Oct. 20. Although the researchers have so far not identified any direct, hands-on-keyboard activity post-compromise, the potential for data exfiltration, further downstream attacks and persistent access to victim environments remains a significant concern.

Microsoft has taken steps to protect its customers from the risk, including notifying affected Microsoft Defender for Endpoint users, reporting the attack to GitHub to remove the second-stage payload in compliance with GitHub’s policies, and adding the compromised CyberLink certificate to its disallowed list. Microsoft Defender for Endpoint and Microsoft Defender Antivirus have been updated to detect and mitigate this threat.

The Lazarus Group has an extensive track record of targeting potential victims. The group is best known for being behind the spread of the WannaCry ransomware in 2017 but has regularly popped up since then. Previous campaigns include Lazarus targeting Linux systems in December 2019. Lazarus was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular “Axie Infinity” game.

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU