Microsoft uncovers Diamond Sleet's supply chain attack involving modified CyberLink installer
- United States
Microsoft has discovered a supply chain attack by Diamond Sleet (formerly ZINC), a North Korea-based threat actor known to target media, defense, and information technology (IT) industries globally. The attack involves a malicious variant of a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.
Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. The group is known to use a variety of custom malware that is exclusive to it.
This suspicious activity associated with the modified CyberLink installer file was observed by Microsoft Threat Intelligence researchers as early as October 20, 2023. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft observed the threat group utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
Microsoft took the following measures to protect customers in response to this malicious activity by Diamond Sleet:
- Communicated this supply chain compromise to CyberLink
- Notifying Microsoft Defender for Endpoint customers that have been targeted or compromised in this campaign
- Reported the attack to GitHub, which then removed the second-stage payload in accordance with its Acceptable Use Policies
- Added the CyberLink Corp. certificate used to sign the malicious file to its disallowed certificate list
- Microsoft Defender for Endpoint detects this activity as Diamond Sleet activity group while Microsoft Defender Antivirus detects the malware as Trojan:Win32/LambLoad.
Microsoft recommends using Microsoft Defender Antivirus to protect from this threat. Also, enabling network protection and investigation and remediation in full automated mode will prevent access to malicious domains and allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, the tech giant said.