Microsoft warns of a North Korean-linked supply chain attack using trojanized CyberLink Software
A North Korean hacking group called Diamond Sleet is spreading a malicious version of CyberLink, a legitimate software created by a Taiwanese company. You may know the group by its more popular name, Lazarus, a sophisticated team working for North Korea's government since 2013.
Microsoft researchers said, last week, that the tampered CyberLink installer includes malicious code. This code downloads and installs other malware onto target devices.
"This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team wrote in their analysis.
The hackers are hosting the poisoned installer on CyberLink's own update infrastructure which makes the file seem authentic. The installer also has time limits and evasion techniques to avoid security tools noticing it.
Over 100 computers have already been impacted in countries like Japan, Taiwan, Canada, and the United States. The researchers estimate that the attack has been in motion since October 20th this year when the first suspicious activity associated with the modified CyberLink installer file was observed
Analysts tied the attack to North Korea because they observed the infected devices communicating with command-and-control (C2) servers previously compromised by Diamond Sleet.
Microsoft said Diamond Sleet has used other kinds of hacked open-source and business apps to target defense companies, technology firms, and media organizations. Their attacks aim to steal intelligence to support North Korean political interests.