November 23, 2023 at 01:06AM
North Korean threat actor Diamond Sleet is using a trojanized version of a legitimate app developed by CyberLink in a supply chain attack. The poisoned file, hosted on CyberLink’s infrastructure, downloads a second-stage payload. The campaign has affected over 100 devices in Japan, Taiwan, Canada, and the U.S. Microsoft has observed Diamond Sleet using trojanized open-source and proprietary software in attacks on IT, defense, and media sectors. No hands-on-keyboard activity was detected after the tampered installer was distributed.
Meeting Takeaways:
– A North Korean state-sponsored threat actor known as Diamond Sleet is conducting a supply chain attack by distributing a trojanized version of a legitimate software developed by CyberLink, a Taiwanese multimedia software developer.
– The trojanized software contains malicious code that downloads and loads a second-stage payload.
– The campaign has impacted over 100 devices in Japan, Taiwan, Canada, and the U.S. and has been observed since October 20, 2023.
– The second-stage payload establishes connections with compromised command-and-control servers.
– Diamond Sleet is a part of an umbrella group called Lazarus Group and has been active since at least 2013, targeting organizations globally in IT, defense, telecommunications, and financial sectors.
– Microsoft has codenamed the tampered installer as LambLoad and has not detected any hands-on-keyboard activity following its distribution.
– The malware inspects the target system for the presence of security software and fetches additional payloads from a remote server masquerading as a PNG file.
– Palo Alto Networks Unit 42 recently uncovered twin campaigns by North Korean threat actors targeting organizations through fictitious job interviews.
– Microsoft has linked Diamond Sleet to the exploitation of a critical security flaw in JetBrains TeamCity to deploy a backdoor known as ForestTiger.
– For more exclusive content, follow the company on Twitter and LinkedIn.
Please note that these takeaways are a summary of the meeting notes and may not include all details.