North Korean state-backed hackers are distributing a malicious version of a legitimate application developed by CyberLink, a Taiwanese software maker, to customers.
The Microsoft Threat Intelligence Team said that North Korean hackers had compromised CyberLink to distribute a modified installation file from the company as part of a wide-ranging supply chain attack.
CyberLink is a Taiwan-based software company that develops multimedia software, such as PowerDVD, and AI facial recognition technology. According to the company CyberLink website It has more than 200 patented technologies and has distributed more than 400 million applications worldwide.
Microsoft said it observed suspicious activity associated with the modified CyberLink installer, tracked by the company as “LambLoad”, as early as October 20, 2023. It has so far detected the trojanized installer on more than 100 devices in several countries, including Japan, Taiwan , Canada and the United States.
The file is hosted on legitimate update infrastructure owned by CyberLink, according to Microsoft, and the attackers used a legitimate code signing certificate issued to CyberLink to sign the malicious executable, according to Microsoft. “This certificate has been added to Microsoft in your list of disallowed certificates to protect customers from future malicious use,” said Microsoft's Threat Intelligence team.
The company noted that a second phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors.
Microsoft has attributed this attack with “high confidence” to a group it tracks as Diamond Sleet, a North Korea-associated actor linked to the notorious Lazarus hacker group. This group has been observed targeting information technology, defense and media organizations. And it focuses predominantly on espionage, financial gain and the destruction of corporate networks, according to Microsoft itself.
Microsoft said it has yet to detect hands-on keyboard activity, but noted that Diamond Sleet attackers commonly they steal data of compromised systems, infiltrate software creation environments, work their way down to exploit more victims, and attempt to gain persistent access to victims' environments.
Microsoft said it notified CyberLink about the supply chain compromise, but did not say whether it had received a response or whether CyberLink had taken any action in light of the company's findings. The company is also notifying Microsoft Defender for Endpoint customers who were affected by the attack.
