Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
To address the potential risk of further attacks against our customers, Microsoft has taken the following steps to protect customers in response to this malicious activity:
Microsoft may update this blog as additional insight is gained into the tactics, techniques, and procedures (TTPs) used by the threat actor in this active and ongoing campaign.
The actor that Microsoft tracks as Diamond Sleet (formerly ZINC) is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet is known to use a variety of custom malware that is exclusive to the group. Recent Diamond Sleet malware is described in Microsoft’s reporting of the group’s weaponization of open source software and exploitation of N-day vulnerabilities. Diamond Sleet overlaps with activity tracked by other security companies as Temp.Hermit and Labyrinth Chollima.
Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
Diamond Sleet utilized a legitimate code signing certificate issued to CyberLink Corp. to sign the malicious executable. This certificate has been added to Microsoft’s disallowed certificate list to protect customers from future malicious use of the certificate:
Signer: CyberLink Corp.
Issuer: DigiCert SHA2 Assured ID Code Signing CA
SignerHash: 8aa3877ab68ba56dabc2f2802e813dc36678aef4
CertificateSerialNumber: 0a08d3601636378f0a7d64fd09e4a13b
Microsoft currently tracks the malicious application and associated payloads as LambLoad.
LambLoad is a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application. The primary LambLoad loader/downloader sample Microsoft identified has the SHA-256 hash 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be.
Before launching any malicious code, the LambLoad executable ensures that the date and time of the local host align with a preconfigured execution period.
The loader then targets environments that are not using security software affiliated with FireEye, CrowdStrike, or Tanium by checking for the following process names:
If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’:
The PNG file contains an embedded payload inside a fake outer PNG header that is, carved, decrypted, and launched in memory.
When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet:
The crypted contents of the PNG file (SHA-256: 089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d) may be manually carved using the following command:
To restore the in-memory payload statically for independent analysis, the following Python script can be used to decrypt the carved contents.
To crypt and verify:
Both the fake PNG and decrypted PE payload have been made available on VirusTotal.
Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
Microsoft Defender for Endpoint
Alerts with the following title in the security center can indicate threat activity on your network:
The following alert might also indicate threat activity related to this threat. Note, however, that this alert can be also triggered by unrelated threat activity.
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Defender Threat Intelligence
Microsoft Defender XDR Threat analytics
Microsoft Defender XDR
Microsoft Defender XDR (formerly Microsoft 365 Defender) customers can run the following query to find related activity in their networks:
let iocs = dynamic(["166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be", "089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d", "915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1"]); DeviceFileEvents | where ActionType == "FileCreated" | where SHA256 in (iocs) | project Timestamp, DeviceName, FileName, FolderPath, SHA256
Microsoft Defender XDR and Microsoft Sentinel
This query can be used in both Microsoft Defender XDR advanced hunting and Microsoft Sentinel Log Analytics. It surfaces devices where the modified CyberLink installer can be found.
DeviceFileCertificateInfo | where Signer contains "CyberLink Corp" | where CertificateSerialNumber == "0a08d3601636378f0a7d64fd09e4a13b" | where SignerHash == "8aa3877ab68ba56dabc2f2802e813dc36678aef4" | join DeviceFileEvents on SHA1 | distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
The following YAMLs contain queries that surface activities related to this attack:
The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
Indicator | Type | Description |
---|---|---|
166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be | SHA-256 | Trojanized CyberLink installer (LambLoad) |
089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d | SHA-256 | Second-stage PNG payload |
915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1 | SHA-256 | Decrypted PE from second-stage PNG |
hxxps[:]//update.cyberlink[.]com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Pr omeo_Downloader.exe | URL | CyberLink update URL used to deliver malicious installer |
hxxps[:]//update.cyberlink[.]com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/Cyb erLink_Promeo_Downloader.exe | URL | CyberLink update URL used to deliver malicious installer |
hxxps[:]//cldownloader.github[.]io/logo.png | URL | Stage 2 staging URL |
hxxps[:]//i.stack.imgur[.]com/NDTUM.png | URL | Stage 2 staging URL |
hxxps[:]//www.webville[.]net/images/CL202966126.png | URL | Stage 2 staging URL |
hxxps[:]//mantis.jancom[.]pl/bluemantis/image/addon/addin.php | URL | Stage 2 callback URL |
hxxps[:]//zeduzeventos.busqueabuse[.]com/wpadmin/js/widgets/sub/wids.php | URL | Stage 2 callback url |
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.