A new supply chain attack was discovered that leverages a malicious variant of a popular photo and video editing application developed by Taiwanese software company CyberLink.
Microsoft’s threat intelligence team has attributed the campaign to a North Korean threat actor they track as Diamond Fleet (previously Zinc). The group focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet has been observed targeting media, defense, and information technology (IT) industries worldwide. Its weapons arsenal includes a variety of exclusive custom malware, as well as open-source software and N-day exploits. Diamond Sleet overlaps with activity tracked by other security companies as Temp.Hermit and Labyrinth Chollima.
The most recent Diamond Sleet’s campaign first spotted in late October involves a modified legitimate CyberLink application installer signed using a valid CyberLink certificate with malicious code that delivers a second-stage payload. The malicious app is tracked by Microsoft as LambLoad.
The file is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.
According to Microsoft, the campaign has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the US. The threat research team said they have yet to identify what exactly the attackers did after a system was compromised but in their previous campaigns the group was seen exfiltrating sensitive data from victim environments, compromising software build environments, moving downstream to additional victims for further exploitation, using techniques to establish persistent access to victim environments.
Before launching any malicious code, LambLoad ensures that the date and time of the local host align with a preconfigured execution period. It then checks if the targeted environment is using security software affiliated with FireEye, CrowdStrike, or Tanium. If it finds processes associated with these products it continues running the CyberLink app without execution of malicious code. Otherwise, LambLoad attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer.’
Microsoft said it has informed CyberLink of its findings and alerted customers who have been targeted or compromised in the campaign. The tech giant has also reported the CyberLink issue to GitHub, which removed the offending app from its platform.