According to a new blog post by Microsoft, a North Korean-based threat actor dubbed Diamond Sleet has been observed distributing a malicious variant of a legitimate application installer developed by CyberLink Corp. to target customers in a supply chain attack. For its part, the trojanized file, which is hosted on CyberLink’s update infrastructure, includes malicious code that is designed to download, decrypt, and load a second-stage payload.
To evade detection, researchers say the file is signed using a valid certificate issued by CyberLink and includes checks to limit the time Window for execution. Based on the activity observed so far, the modified CyberLink installer file has impacted over 100 devices in multiple countries including Japan, Taiwan, Canada, and the United States. Upon execution, LambLoad will check to see if the targeted system is using security software such as FireEye, CrowdStrike, and Tanium. If not detected, the malware will retrieve the second-stage malware from a URL. The malware is embedded inside a file masquerading as a PNG file, which when invoked will reach out to a legitimate domain for additional payloads.Read more at Microsoft.