Microsoft Threat Intelligence uncovered a Diamond Sleet supply chain attack that tampered with a CyberLink installer to deliver a second-stage payload. The malicious file is signed with a valid CyberLink certificate, hosted on CyberLink infrastructure, and includes execution-time and anti-detection checks; it has affected over 100 devices across Japan, Taiwan, Canada, and the United States. Hashtags: #DiamondSleet #LambLoad #CyberLink #ZINC #DigiCert
Keypoints
- Diamond Sleet (aka ZINC) is linked to a supply chain compromise involving a legitimate CyberLink installer.
- The malicious file is a legitimate CyberLink application installer modified to download, decrypt, and load a second-stage payload (LambLoad).
- The file is signed with CyberLink Corp.’s valid certificate and later added to Microsoft’s disallowed certificate list.
- LambLoad checks the host date/time and detects security software processes (csfalconservice.exe, xagt.exe, taniumclient.exe) to decide whether to proceed.
- Second-stage payload is delivered via a fake PNG file hosted on multiple URLs and loaded in memory after carving/decrypting.
- Callback infrastructure used by the second-stage is hosted on compromised domains (e.g., mantis.jancom.pl and zeduzeventos.busqueabuse.com).
- Over 100 devices in multiple countries have been affected, with historical activity including data exfiltration and persistence.
MITRE Techniques
- [T1195] Supply Chain Compromise – Modified legitimate CyberLink installer delivering LambLoad. ‘malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.’
- [T1218] Signed Binary Proxy Execution – LambLoad loads malicious code via a legitimate, signed CyberLink installer. ‘The file … was signed using a valid certificate issued to CyberLink Corp.’
- [T1116] Code Signing – Use of CyberLink’s code-signing certificate to sign the malicious file and later add the certificate to a disallowed list. ‘Signer: CyberLink Corp. … CertificateSerialNumber: 0a08d3601636378f0a7d64fd09e4a13b’
- [T1027] Obfuscated/Compressed Files and Information – PNG payload carved, decrypted, and launched in memory inside a file masquerading as a PNG. ‘The PNG file contains an embedded payload inside a fake outer PNG header … carved, decrypted, and launched in memory.’
- [T1105] Ingress Tool Transfer – LambLoad downloads the second-stage payload from multiple URLs after environment checks. ‘contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file’
- [T1071.001] Web Protocols / Command and Control – In-memory payload communicates with compromised infrastructure via HTTP(S) callbacks. ‘The in-memory executable attempts to contact the following callbacks for further instruction …’
- [T1562.001] Impair Defenses – Anti-analysis behavior by checking for security tools (csfalconservice.exe, xagt.exe, taniumclient.exe) and only proceeding if not detected. ‘The loader then targets environments that are not using security software …’
Indicators of Compromise
- [IOC Type] SHA-256 context – 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be, 089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d, 915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1 (Trojanized CyberLink installer – LambLoad)
- [IOC Type] URL context – hxxps[:]//update.cyberlink[.]com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Promeo_Downloader.exe, hxxps[:]//update.cyberlink[.]com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/CyberLink_Promeo_Downloader.exe
- [IOC Type] URL context – hxxps[:]//cldownloader.github[.]io/logo.png, hxxps[:]//i.stack.imgur[.]com/NDTUM.png, hxxps[:]//www.webville[.]net/images/CL202966126.png
- [IOC Type] URL context – hxxps[:]//mantis.jancom[.]pl/bluemantis/image/addon/addin.php, hxxps[:]//zeduzeventos.busqueabuse[.]com/wp-admin/js/widgets/sub/wids.php