A group of North Korean hackers, tracked by Microsoft as Diamond Sleet (Zinc), previously described as a subgroup of the Lazarus gang, has been carrying out attacks for data theft, espionage, destruction and financial gain. Microsoft recently discovered that Diamond Sleet targeted Cyberlink, a Taiwan-based software company specializing in audio, video and photo editing applications, to drive malware in supply chain attacks targeting potential victims around the world. .
Hackers compromised the company’s systems and modified a legitimate application installer. They added malicious code designed to download, decrypt and load second-stage payloads. The malicious version of the installer was signed with a valid CyberLink certificate and hosted on a legitimate update infrastructure.
After detecting a supply chain attack, Microsoft informed CyberLink and is also notifying Microsoft Defender for Endpoint customers who were affected by the attack. The company also reported the attack to GitHub, which removed the second-stage payload in accordance with its acceptable use policies.
Microsoft began checking activity related to the malicious installer on October 20, with the file hitting more than 100 devices in Japan, Taiwan, Canada and the United States. The company tracks the malware as LambLoad. The threat is designed to scan the compromised host for the presence of security software from CrowdStrike, FireEye, and Tanium before executing malicious code — only the legitimate CyberLink application is executed if these security products are detected.
The tech giant did not verify any hands-on keyboard activity as part of the campaign, but noted that the threat operator is known to steal sensitive data from victims, compromise software build environments, move downstream to other victims, and establish access persistent. Microsoft has made Indicators of Compromise (IoCs) available to help defenders detect Diamond Sleet activity on their network.
To access the full Microsoft report, in English, click here.
Who is the Lazarus Group?
The Lazarus Group is a hacker group sponsored by North Korea that has been operating for more than ten years, since at least 2009. Known for attacking organizations around the world, Lazarus’ operations have so far included attacks on financial institutions, media outlets and government agencies.
Their campaigns have also involved attacks by security researchers, penetration testers, and employees of cybersecurity and technology companies; the incorporation of malicious code into open source cryptocurrency platforms; executing massive cryptocurrency heists and using fake job interviews to spread malware.
The group is believed to be behind many high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and the largest-ever encryption hack in 2022.
In September 2019, the US government imposed sanctions on three North Korean-sponsored hacking groups (Lazarus, Bluenoroff and Andariel) and is now offering a reward of up to $5 million for any information on North Korean hacking activity. .
See the original post at: CisoAdvisor