Microsoft discovers North Korean malware in legitimate CyberLink downloader

A supply chain attack originating in North Korea and Trojanized in an application installer from Taiwanese facial recognition provider CyberLink has overtones of a James Bond film.

According to a bulletin on the Microsoft Threat Intelligence blog, threat actors known as Diamond Sleet targeted foreign financial institutions on behalf of the Lazarus Group, a hacker agency for the DPRK. Malicious code embedded in the legitimate CyberLink application checks for the presence of specific security software. If the specified software is not installed, the sinister installer downloads, decrypts and then loads a second-stage payload disguised as a PNG file, which interacts with infrastructure previously compromised by Diamond Sleet.

The modified file, says the MS Threat Intelligence team, “was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.” More than 100 devices have been impacted across several countries, including Taiwan, Canada and the U.S.

Microsoft says it first observed suspicious activity associated with the CyberLink installer in October of this year. The compromised certificate has now been added to Microsoft’s disallowed certificates list and relevant parties have been notified, including MS Defender for Endpoint customers who were affected by the attack, and GitHub, which has removed the second-stage payload per its acceptable use policies.

Microsoft is continuing to track the weaponized application and associated payloads as “LambLoad.”

The name’s Sleet – Diamond Sleet

Exactly who or what is the mysterious Diamond Sleet? The digital espionage organization backed by Kim Jong-Un’s government targets media, defense and IT industries with data theft and attacks on corporate networks.

Microsoft has not yet identified “hands-on keyboard activity carried out after compromise with this malware,” and the post does not indicate any compromise of biometric data. But it says it has high confidence that the attack came from Diamond Sleet, which has a history of using similar Trojan horse tactics to infiltrate software build environments and move its malware downstream. Active since 2013, Diamond Sleet operates under the umbrella of the shadowy Lazarus Group, a formerly illegal but now government-sanctioned hacker agency known variously as Guardians of Peace, ZINC, BlueNoroff and Hidden Cobra.

Western leaders have attributed a number of major cyberattacks in recent years to the Lazarus Group, including the high-profile 2014 attack on Sony Pictures, Operation Ghost Secret, DarkSeoul, WannaCry and Ten Days of Rain.

Microsoft says it will add any necessary updates on the CyberLink issue to the Threat Intelligence post, which also includes recommendations for how to avoid the attack and mitigate its impact.

CyberLink’s facial recognition software received cybersecurity certification from a South Korean government body in September.

Article Topics

CyberLink  |  cybersecurity  |  malware  |  North Korea