Image: © Skórzewiak/Stock.adobe.com
Microsoft claims the notorious hacking group has used a legitimate company installer as a way to spread malware to more than 100 victims in multiple countries.
A new report by Microsoft warns that North Korean hacking group Lazarus is spreading malware from a compromised version of a CyberLink product.
CyberLink is a Taiwanese multimedia software company that develops various products. The Microsoft report claims Lazarus uses a legitimate CyberLink application installer as a way to spread malware through supply chain attacks.
Microsoft claims that Lazarus – also known as Diamond Sleet – has managed to impact more than 100 devices in multiple countries from this attack method. The impacted countries include Japan, Taiwan, Canada and the US.
“More recently, Microsoft has observed Diamond Sleet utilising trojanised open-source and proprietary software to target organisations in information technology, defence and media,” the company said in its report.
Microsoft claims that the malicious file downloads, decrypts and loads a “second-stage payload” against its victims. This file is hosted on legitimate update infrastructure owned by CyberLink and has certain measures in place to evade detection by security products.
The report claims Lazarus has used this file to steal sensitive data, compromise software builds and give itself persistent access to devices. Microsoft said it has informed CyberLink about this “supply chain compromise” and has updated its own security products to detect the malicious file.
The Lazarus Group was blamed for the notorious WannaCry cyberattack in 2017, which was unprecedented in scale at the time and wreaked havoc around the globe. This group is also believed to be behind the infamous hack of Sony Pictures Entertainment in 2014.
This group was also linked to some high-profile attacks last year, including the massive theft of gaming-focused blockchain network Ronin, in which roughly $625m was stolen.
A report from blockchain analytics company Elliptic suggests Lazarus has been ramping up its operations and changing tactics this year. This report claimed the hacking group stole an estimated $240m in crypto assets in less than four months.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
