“Diamond Sleet” Supply Chain Attack: Microsoft recently uncovered a troubling incident involving a supply chain attack, skillfully executed by North Korean hackers. These cyber operatives attached a malicious file to an authentic photo and video editing application installer.
In a blog post released on Wednesday, Microsoft Threat Intelligence shed light on the situation, attributing the activity to a group identified as Diamond Sleet—a faction within the North Korean government specializing in espionage, data theft, financial gains, and network destruction. The group’s focus extends globally, primarily targeting entities associated with media, IT services, and defense.
According to Microsoft, the hackers manipulated an application developed by the Taiwanese software company CyberLink, creating a malicious variant. Despite Microsoft attempting to engage with CyberLink for comments, the company has yet to respond to the findings.
The malicious file cleverly poses as a legitimate CyberLink application installer but has undergone modifications, including code that facilitates the download, decryption, and loading of a second-stage payload. This file, bearing a valid certificate from CyberLink Corp., resides on CyberLink’s authentic update infrastructure and incorporates measures to limit the time window for execution, successfully evading detection by security products.
Microsoft reports that this malicious activity has impacted over 100 devices across various countries, including Japan, Taiwan, Canada, and the United States. While the company’s researchers noticed suspicious activity as early as October 20, they haven’t observed any hands-on-keyboard activity post-compromise through this malware.
The malicious executable, dubbed LambLoad, functions as a weaponized downloader and loader. Prior to activation, it performs checks on the date and time, ensuring the absence of security software from FireEye, CrowdStrike, or Tanium. If these criteria are not met, the executable continues running the CyberLink software, refraining from further execution of malicious code.
On meeting the specified conditions, the software endeavors to connect with three malicious domains to download a second payload embedded in a file masquerading as a .PNG file. Microsoft linked this campaign to Diamond Sleet by observing the malware’s communication with infrastructure previously compromised by the group.
In response, Microsoft has informed CyberLink of the issue and communicated with targeted or compromised customers. The company also reported the issue to GitHub, resulting in the removal of the payload from its platform. Furthermore, Microsoft has blocked the CyberLink certificate used to sign the malicious file.
Diamond Sleet is known for deploying custom malware and has previously been observed leveraging open-source software alongside newly discovered vulnerabilities. The group’s objectives typically involve exfiltrating sensitive data, compromising software build environments, and attacking downstream victims.
In a notable instance in September, Diamond Sleet garnered attention for targeting organizations in Russia, one of North Korea’s few allies. Microsoft had previously cautioned about hackers associated with Diamond Sleet weaponizing legitimate open-source software. In October, the group set its sights on a vulnerability in a popular product from Czech software giant JetBrains.
Notably, North Korean hackers have increasingly embraced supply-chain attacks resembling the one Microsoft uncovered. In April, cybersecurity experts identified North Korean hackers conducting a supply-chain attack on clients of the enterprise phone company 3CX, compromising the company through another third-party supply-chain attack. This incident marked the first time a software supply-chain attack had led to another software supply-chain attack, as reported by Google cybersecurity firm Mandiant.