CyberLink Breached Through Supply Chain Attack By North Korean Hackers

Supply Chain Attack by North Korean Hackers

Recently, the Microsoft Threat Intelligence Team has discovered a supply chain attack executed by North Korean attackers. The prime victim of this attack was CyberLink, a multimedia software company headquartered in Taiwan. This strategic infiltration in the CyberLink infrastructure impacted globally present customers, risking data integrity and confidentiality.

Microsoft reported, The supply chain attack aimed to modify the recent installation packages released by CyberLink.

The attacker’s main objective was to hide a malware in the package and sign it with a spoofed code signing certificate used by the company. At some point, the North Korean state-backed hackers were able to achieve their target, as CyberLink released an altered installer on 20th October 2023.

The Insight to North Korean Operated Supply Chain Attack

With complete confidence, Microsoft has declared the North Korean hacking group Diamond Sleet as the prime attacker. This group is also known by other names, such as Lazarus, Labyrinth Chollima, and ZINC. In addition, this group has an extended history of breaching data, performing attacks, downstream the victims, and compromising sensitive information.

For the CyberLink attack, they created a two-layer trojan attack. Firstly, they impersonated the company’s infrastructure and modified the installation package with their malicious code. Following this, they signed the altered installer with the company’s code signing certificate to remain undetectable.

The CyberLink company released the same altered installer for its users in Taiwan, Japan, Canada, and the United States. As a result, about 100 devices were impacted by the Lazarus trojan.

When the Microsoft threat team discovered this supply chain attack, they listed the following findings:

  • The trojan integrated into the installer tracks back to the LambLoad, which is a malware loader and downloader.
  • The trojan can only exploit the systems that are not secured by Tanium, CrowdStrike, and FireEye. If any other security software is configured, it can be exploited and trojanized.
  • If the system requirements are not met, the malicious file runs continuously but doesn’t unbundle the malware code.

The Working of Lazarus Malware

Once the altered CyberLink software gets installed on your device, it starts functioning per the following process.

Step 1: The malicious files ensure that all the system requirements are met.

Step 2: Once the criteria are met, the malware establishes a connection with C2/command and control servers.

Step 3: The malware initiates the download of a second payload using Microsoft Internet Explorer. And that payload is showcased as a PNG file.

Step 4: The downloaded malicious PNG file starts to decrypt, carve, and launch the payload stored inside the spoofed header.

Step 5: The payload starts to exploit the systems.

Microsoft’s role was at the front, as their threat intelligence team discovered the malicious payload in the CyberLink installer. Further, they informed CyberLink about the attack and also moved their code signing certificate to an untrusted certificate list.

In addition, the end-users were also informed and suggested to strengthen their endpoint security. It helped them remove malware and secure systems and data.

Further, Microsoft reported the attack to GitHub. Due to this information, GitHub removed the second-stage payload used by Lazarus malware under the Acceptable Use Policies.

How Can You Secure Yourself From Supply Chain Attack?

To secure your infrastructure from a supply chain attack, you need authentic code signing certificate or DigiCert software trust manager.

The code signing certificate, aligning with the latest standard, will support you in retaining the private key at your sole discretion. The DigiCert trust manager will aid you in securely managing the complete software supply chain procedure.

Recommended: Software Supply Chain Attacks: Notable Examples and Prevention Strategies

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *