North Korean state-backed hackers are distributing a malicious version of a legitimate application developed by CyberLink, a Taiwanese software maker, to target downstream customers.
Microsoft’s Threat Intelligence team said on Wednesday North Korean hackers had compromised CyberLink to distribute a modified installer file from the company as part of a wide-reaching supply-chain attack.
CyberLink is a software company headquartered in Taiwan that develops multimedia software, such as PowerDVD, and AI facial recognition technology. According to the company’s website, CyberLink owns over 200 patented technologies and has shipped more than 400 million apps worldwide.
CyberLink spokesperson Melinda Ziemer told TechCrunch that the organization identified a “malware issue” in the installation file for one of its apps, a video editing program called Promeo, on November 11. “Upon discovery, our dedicated cybersecurity team immediately removed the bug and additional security measures were put in place to prevent this from happening again in the future,” Ziemer said, noting that none of the company’s other applications are impacted.
Microsoft said it observed suspicious activity associated with the modified CyberLink installer, tracked by the company as “LambLoad,” as early as October 20, 2023. It has so far detected the trojanized installer on more than 100 devices in multiple countries, including Japan, Taiwan, Canada and the United States.
The file is hosted on legitimate update infrastructure owned by CyberLink, according to Microsoft, and the attackers used a legitimate code signing certificate issued to CyberLink to sign the malicious executable, according to Microsoft. “This certificate has been added to Microsoft’s disallowed certificate list to protect customers from future malicious use of the certificate,” said Microsoft’s Threat Intelligence team.
The company noted that a second-phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors.
Microsoft has attributed this attack with “high confidence” to a group it tracks as Diamond Sleet, a North Korean nation-state actor linked to the notorious Lazarus hacking group. This group has been observed targeting organizations in information technology, defense and media. And it focuses predominantly on espionage, financial gain and corporate network destruction, according to Microsoft.
Microsoft said it has yet to detect hands-on keyboard activity but noted that Diamond Sleet attackers commonly steal data from compromised systems, infiltrate software build environments, progress downstream to exploit further victims and attempt to gain persistent access to victims’ environments.
Microsoft said it notified CyberLink of the supply-chain compromise but did not say whether it had received a response or whether CyberLink had taken any action in light of the company’s findings. The company is also notifying Microsoft Defender for Endpoint customers who were affected by the attack.
UPDATE, Nov. 29, 11:00 a.m. ET: This article has been updated with comment from CyberLink.