North Korean attack on CyberLink impacted devices around the world, Microsoft says

Microsoft has uncovered a supply chain attack by North Korean hackers who attached a malicious file to a legitimate photo and video editing application installer.

In a blog on Wednesday, Microsoft Threat Intelligence said it attributed the activity to a group it calls Diamond Sleet — a hacking group within the North Korean government that focuses its efforts on espionage, data theft, financial gain, and network destruction, and targets media, IT services, and defense-related entities around the world.

The group created a malicious variant of an application created by the Taiwanese software company CyberLink, they said. The company did not respond to requests for comment about Microsoft’s findings.

“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products,” they said.

“Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.”

Microsoft researchers said they saw suspicious activity as early as October 20 but have not yet observed hands-on-keyboard activity carried out after compromise via this malware.

The malicious executable — named LambLoad — is a “weaponized downloader and loader.”

Before launching, the LambLoad executable checks the data and time and confirms the environment is not using security software from FireEye, CrowdStrike, or Tanium.

“If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code,” Microsoft said.

Otherwise, the software attempts to contact three malicious domains to download a second payload that is embedded inside of a file masquerading as a .PNG file.

Microsoft said it was able to tie the campaign to Diamond Sleet because in the second stage of the attacks the malware communicates with infrastructure previously compromised by the group.

The tech giant said it has also seen similar activity by the group in recent months, particularly targeting organizations in information technology, defense, and media.

Microsoft said it has informed CyberLink of the issue and has told customers who have been targeted or compromised in the campaign. It has also reported the CyberLink issue to GitHub, which removed the payload from its platform.

The CyberLink certificate used to sign the malicious file has been blocked by Microsoft tools as well.

A supply-chain pattern

Diamond Sleet is known to use custom malware and has previously been seen weaponizing open-source software alongside newly discovered vulnerabilities. The group typically seeks to exfiltrate sensitive data, compromise software build environments and attack downstream victims.

Diamond Sleet made waves in September when Microsoft revealed it was targeting organizations in Russia, one of North Korea’s few allies. Microsoft warned last year that hackers connected to Diamond Sleet were weaponizing legitimate open-source software.

In October, the group targeted a vulnerability that emerged earlier this year in a popular product from Czech software giant JetBrains. Diamond Sleet was witnessed deploying backdoors through their compromise of the vulnerability — allowing them continuous access to a victim’s system.

North Korean hackers have increasingly sought to attack targets through similar supply-chain attacks like the one Microsoft identified.

In April, cybersecurity experts were alarmed to find North Korean hackers conducting a supply-chain attack on clients of the enterprise phone company 3CX after compromising the company through another third party supply-chain attack.

Google cybersecurity firm Mandiant said the incident was the first time it has seen a software supply-chain attack — when a threat actor compromises a victim’s network by gaining access to a trusted third party that is already present in the network — to another software supply-chain attack.

Update (11/30/2023): Eight days after the publication of this story, a spokesperson for CyberLink confirmed that on November 22, they "identified a malware issue in the installation file" for one of their programs, Promeo.

"Upon discovery, our dedicated cybersecurity team immediately removed the bug and additional security measures were put in place to prevent this from happening again in the future. We are committed to maintaining the highest standards of digital security and are taking this matter extremely seriously," the spokesperson said.

"Hence, as a precautionary measure, we made the decision to inspect the full lineup of CyberLink products (e.g. PowerDirector, PhotoDirector, PowerDVD) using trusted tools like Microsoft Defender, CrowdStrike, Symantec, TrendMicro, and Sophos software. We can confirm that none of the other programs were affected."