North Korean state-backed hackers are distributing a malicious model of a professional software developed by CyberLink, a Taiwanese software program maker, to focus on downstream clients.
Microsoft’s Menace Intelligence staff stated on Wednesday North Korean hackers had compromised CyberLink to distribute a modified installer file from the corporate as a part of a wide-reaching supply-chain assault.
CyberLink is a software program firm headquartered in Taiwan that develops multimedia software program, akin to PowerDVD, and AI facial recognition know-how. In accordance with the corporate’s web site, CyberLink owns over 200 patented applied sciences and has shipped greater than 400 million apps worldwide.
Microsoft stated it noticed suspicious exercise related to the modified CyberLink installer, tracked by the corporate as “LambLoad,” as early as October 20, 2023. It has thus far detected the trojanized installer on greater than 100 units in a number of nations, together with Japan, Taiwan, Canada and the US.
The file is hosted on professional replace infrastructure owned by CyberLink, in line with Microsoft, and the attackers used a professional code signing certificates issued to CyberLink to signal the malicious executable, in line with Microsoft. “This certificates has been added to Microsoft’s disallowed certificates record to guard clients from future malicious use of the certificates,” stated Microsoft’s Menace Intelligence staff.
The corporate famous {that a} second-phase payload noticed on this marketing campaign interacts with infrastructure beforehand compromised by the identical group of risk actors.
Microsoft has attributed this assault with “excessive confidence” to a gaggle it tracks as Diamond Sleet, a North Korean nation-state actor linked to the infamous Lazarus hacking group. This group has been noticed concentrating on organizations in info know-how, protection and media. And it focuses predominantly on espionage, monetary achieve and company community destruction, in line with Microsoft.
Microsoft stated it has but to detect hands-on keyboard exercise however famous that Diamond Sleet attackers generally steal information from compromised methods, infiltrate software program construct environments, progress downstream to use additional victims and try to realize persistent entry to victims’ environments.
Microsoft stated it notified CyberLink of the supply-chain compromise however didn’t say whether or not it had obtained a response or whether or not CyberLink had taken any motion in mild of the corporate’s findings. The corporate can also be notifying Microsoft Defender for Endpoint clients who had been affected by the assault.
