CyberLink Targeted in Supply Chain Attack by Infamous Lazarus Hacking Group
In a recent revelation, Microsoft Threat Intelligence experts have uncovered a supply chain attack orchestrated by the notorious North Korean-based threat actor, Lazarus. The attack targeted CyberLink Corp., a Taiwanese software company known for its multimedia software products. Utilizing a modified installer for a CyberLink application, Lazarus used this compromised conduit to distribute malware to unsuspecting victims.
The malicious variant, discovered by Microsoft and codenamed Diamond Sleet, successfully disguised itself as a legitimate installer, complete with a valid CyberLink certificate. However, beneath this facade, the installer contained concealed malicious code intended to download and execute a secondary payload.
Dubbed LambLoad, the malware fulfills dual roles as a downloader and a loader. It operates within a preconfigured execution period, checking the system’s date and time before launching any malicious activities. This strategic maneuver ensures that LambLoad strictly adheres to a preset timeframe, evading immediate detection.
The chosen targets for LambLoad are corporate environments lacking robust security software from companies like FireEye Inc., CrowdStrike Holdings Inc., and Tanium Inc. Upon detecting security processes from these companies, the malware aborts its malicious operations, allowing the legitimate CyberLink software to run unaffected. This level of sophistication adopted by Lazarus emphasizes the increasing complexity of modern cyber threats.
Researchers have identified over 100 affected devices across several countries, including Japan, Taiwan, Canada, and the United States since the initial observation of the malicious installer on October 20th. Although no direct, hands-on-keyboard activity has been detected post-compromise, concerns remain regarding potential data exfiltration, subsequent attacks, and persistent access to victim environments.
Taking swift action, Microsoft has implemented measures to protect customers from this risk. Affected users of Microsoft Defender for Endpoint have been notified, the attack has been reported to GitHub for the removal of the second-stage payload in accordance with GitHub’s policies, and the compromised CyberLink certificate has been added to Microsoft’s disallowed list. Microsoft Defender for Endpoint and Microsoft Defender Antivirus have also been updated to address and neutralize this threat.
Lazarus Group has established a notorious track record in targeting vulnerable victims. Most notably, they were responsible for the widespread WannaCry ransomware attack in 2017. Similar incidents involving Lazarus include their targeting of Linux systems in December 2019 and their involvement in the $615 million cryptocurrency theft through the hacking of the Ronin Network, which underlies the popular game Axie Infinity.
The implications of this latest supply chain attack by Lazarus Group are vast, warranting heightened vigilance within the cybersecurity community. Companies must ensure the implementation of robust security measures to safeguard against such threats. As the landscape of cybercrime continues to evolve, it is imperative that organizations remain proactive in adapting their defenses to combat the ever-increasing complexity of cyber threats.
