Hackers backed by North Korea are distributing a modified version of a legitimate application created by CyberLink, a Taiwanese software company, to target downstream customers.
As per Microsoft’s Threat Intelligence team, North Korean hackers compromised CyberLink to distribute a modified installer file as part of a widespread supply-chain attack.
CyberLink, headquartered in Taiwan, is a software company that specializes in developing multimedia software like PowerDVD and AI facial recognition technology. According to the company’s website, CyberLink possesses over 200 patented technologies and has shipped more than 400 million apps globally.
Microsoft reported observing suspicious activity related to the modified CyberLink installer, identified as “LambLoad,” as early as October 20, 2023. The trojanized installer has been detected on over 100 devices in various countries, including Japan, Taiwan, Canada, and the United States.
According to Microsoft, the file is hosted on legitimate update infrastructure owned by CyberLink, and the attackers used a genuine code signing certificate issued to CyberLink to sign the malicious executable. Microsoft stated that the certificate has been added to its disallowed certificate list to safeguard customers from potential misuse.
In this campaign, a second-phase payload observed interacts with infrastructure previously compromised by the same group of threat actors.
Microsoft has attributed this attack with “high confidence” to a group it tracks as Diamond Sleet, a North Korean nation-state actor associated with the notorious Lazarus hacking group. This group has been observed targeting organizations in information technology, defense, and media, focusing primarily on espionage, financial gain, and corporate network destruction.
Although Microsoft has not detected direct hands-on keyboard activity, it noted that Diamond Sleet attackers typically steal data from compromised systems, infiltrate software build environments, progress downstream to exploit further victims, and attempt to gain persistent access to victims’ environments.
Microsoft informed CyberLink of the supply-chain compromise but did not disclose whether it had received a response or if any action had been taken. The company is also notifying Microsoft Defender for Endpoint customers affected by the attack.
CyberLink did not respond to TechCrunch’s inquiries.