North Korea’s Lazarus Group carried out a supply chain attack by attaching malware to a legitimate application installer from software company CyberLink, Microsoft researchers said.
The breach affected more than 100 devices in several countries, including the U.S., Canada, Japan and Taiwan, according to a blog post from Microsoft’s threat intelligence group (which tracks Lazarus as Diamond Sleet).
It is the latest in a growing list of supply chain attacks linked to advanced persistent threat (APT) groups tied to the Democratic People’s Republic of Korea (DPRK).
In a joint advisory, the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) said DPRK state-linked threat groups are increasingly relying on supply chain attacks to snare their victims.
Such attacks were “growing in sophistication and volume,” the agencies said in a statement.
“The NCSC and the NIS consider these supply chain attacks to align and considerably help fulfil wider DPRK-state priorities, including revenue generation, espionage and the theft of advanced technologies,” the statement said.
“Software supply chain cyber attacks pose a significant threat as they can affect a number of organisations via one initial compromise and can lead to onward attacks, resulting in disruption or ransomware being deployed.”
Malicious CyberLink installer appears legit
In the case of Lazarus Group’s attack against multimedia software developer CyberLink, Microsoft’s threat intelligence group said the APT added malicious code to the application installer that downloaded, decrypted and loaded a second-stage payload.
The installer, discovered in October and dubbed LambLoader, was hosted on legitimate update infrastructure owned by CyberLink and targeted environments not using security software from FireEye, CrowdStrike or Tanium.
The Microsoft researchers said Lazarus Group used a legitimate code signing certificate issued to CyberLink Corp. to sign the malicious executable.
While they had not yet identified any hands-on-keyboard activity carried out by the threat actors after compromising devices via LambLoader, the researchers said the group were known for exfiltrating sensitive data from victim environments, compromising software build environments, moving downstream to exploit further victims, and establishing persistence on targeted environments.
Lazarus linked to earlier exploits
While the advisory from NCSC and NIS did not refer specifically to the Lazarus Group, the agencies referenced two supply chain attacks “conducted by DPRK-based actors” in March this year, both of which have been attributed to Lazarus by researchers.
The first was an attack against MagicLine4NX, a security authentication tool developed by South Korean company Dream Security.
By exploiting a zero-day vulnerability, threat actors were able to compromise the website of a media outlet, creating a "watering hole" by planting malicious script into an article on the site.
“When victims opened the infected article from an internet-connected computer, which was installed with the vulnerable security authentication software, the vulnerable software executed the malicious code,” the agencies said.
“The victim computer then connected to the command and control (C2), and the attackers used the C2 to achieve remote control over the infected computer.”
AhnLab Security Emergency response Center (ASEC) researchers previously attributed the attack to Lazarus.
The second attack referenced in the NCSC and NIS advisory was the breach of 3CX VoIP software installations, which led to the installation of trojanized malware onto the 3CX desktop app to deploy further malicious activities on clients leveraging the vulnerable app.
“This constituted a significant global supply chain attack,” the agencies said in the advisory.