The Microsoft Threat Intelligence team has recently unveiled a supply chain attack sending a worrying concern, in the cybersecurity community.
This attack, masterminded by the North Korea-based threat actor known as Diamond Sleet (ZINC), involved a compromised CyberLink installer and has impacted over 100 devices across various countries, including Japan, Taiwan, Canada, and the United States.
In a chilling display of cunning, Diamond Sleet managed to breach CyberLink’s update infrastructure, using a legitimate certificate issued to CyberLink Corp. to sign a malicious executable. This insidious move allowed the threat actor to distribute the malicious file to unsuspecting users.
Microsoft Threat Intelligence, in its relentless pursuit of safeguarding its customers, has since added the certificate to the blocklist, in other to thwart any future misuse. The discovery of this attack was made possible by the meticulous analysis of a modified installer for a CyberLink application, which was being exploited to spread malware.
SECOND STAGE OF ATTACK:
In addition, the second stage of the attack, as revealed by the Cyber kill chain, involved a malicious file that downloads, decrypts, and loads a second-stage payload. This payload then communicates with previously compromised infrastructure to carry out its nefarious activities undetected.
This second-stage payload primarily targets organizations in the information technology, defense, and media sectors, with an objective ranging from espionage and data theft to financial gain and corporate network destruction.
The LambLoad malware, a key player in this attack, operates with a high degree of precision. It checks for the presence of specific security software products, the date and time of the local host, and aligns with a preconfigured execution period. If these conditions are not met, the malware refrains from executing any malicious code, instead running the CyberLink software.
Furthermore, Microsoft Threat Intelligence, has taken swift and decisive action to protect its customers from Diamond Sleet’s threat. This includes providing indicators of compromise and recommended mitigations, reporting the attack to GitHub to remove the second-stage payload, and updating their Defender for Endpoint and Defender Antivirus software to detect and mitigate this threat.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.