North Korean state-backed hackers are distributing a malicious version of a legitimate application developed by CyberLink, a Taiwanese software maker, to target downstream customers.
Microsoft’s Threat Intelligence team he said On Wednesday, North Korean hackers had breached CyberLink to distribute a modified installation file from the company as part of a wide-ranging attack on the supply chain.
CyberLink is a Taiwan-based software company that develops multimedia software such as PowerDVD, and AI facial recognition technology. According to the company data WebsiteCyberLink owns more than 200 patented technologies and has shipped more than 400 million applications worldwide.
Microsoft said it noticed suspicious activity related to the modified CyberLink installer, tracked by the company as “LambLoad,” as early as October 20, 2023. So far it has detected the trojanized installer on more than 100 devices in many countries including Japan, Taiwan, Canada and the United States.
The file is hosted on a legitimate update infrastructure owned by CyberLink, according to Microsoft, and the attackers used a legitimate code signing certificate issued to CyberLink to sign the malicious executable, according to Microsoft. “This certificate has been added to Microsoft certificates list of disallowed certificates to protect customers from future malicious use of the certificate,” said Microsoft’s Threat Intelligence team.
The company noted that a second-phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors.
Microsoft has attributed this “high confidence” attack to a group it monitors as Diamond Sleet, a North Korean nation-state actor linked to the notorious Lazarus hacking group. This group has been observed targeting organizations in information technology, defense and media. And it focuses primarily on espionage, financial gain and the destruction of corporate networks, according to Microsoft.
Microsoft said it has yet to detect the keyboard’s practical activity, but noted that Diamond Sleet attackers typically steal data from compromised systems, infiltrate software build environments, work their way down to exploit further victims, and attempt to gain permanent access in the environments of the victims.
Microsoft said it notified CyberLink of the supply chain compromise, but did not say whether it had received a response or if CyberLink had taken any action in light of the company’s findings. The company is also notifying Microsoft Defender of Endpoint clients affected by the attack.
CyberLink did not respond to TechCrunch’s questions.
