Microsoft has revealed that North Korean hackers, identified as Diamond Sleet, have breached Taiwanese software developer CyberLink and trojanized one of its legitimate applications to distribute a malicious version.
This incident is part of a broader supply-chain attack wherein the hackers have targeted CyberLink customers through a modified installer file.
"Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet," the company said in a blog post.
Microsoft Says North Korean Hackers Used a Modified Installer File From CyberLink
CyberLink, headquartered in Taiwan, is a well-known software company specializing in multimedia software like PowerDVD and AI facial recognition technology. The company boasts over 200 patented technologies and has shipped more than 400 million apps globally.
According to Microsoft's Threat Intelligence team, the hackers used a modified installer file from CyberLink to execute a supply-chain attack. The file, initially a legitimate CyberLink application installer, was altered to include malicious code.
This code, signed with a valid certificate issued to CyberLink Corp., downloaded, decrypted, and loaded a second-stage payload. The malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this attack with high confidence to Diamond Sleet, a North Korean threat actor known for targeting media, defense, and information technology industries globally. According to Microsoft, Diamond Sleet's activities include espionage, data theft, financial gain, and corporate network destruction.
The second-stage payload in this campaign communicates with infrastructure previously compromised by Diamond Sleet. Microsoft has observed the threat actor utilizing trojanized open-source and proprietary software in recent attacks against organizations in the information technology, defense, and media sectors.
Response of Microsoft to the Attack
In response to this activity, Microsoft has taken several steps to protect its customers. The company has communicated the supply-chain compromise to CyberLink, notified Microsoft Defender for Endpoint customers targeted or compromised in this campaign, and reported the attack to GitHub.
GitHub promptly removed the second-stage payload following its Acceptable Use Policies. To further safeguard against potential attacks, Microsoft added the CyberLink Corp. certificate used to sign the malicious file to its disallowed certificate list.
Microsoft Defender for Endpoint said it is actively detecting this activity as a Diamond Sleet activity group, and Microsoft may provide additional updates as the investigation progresses.
Diamond Sleet, formerly known as ZINC, is known for employing custom malware exclusive to the group. Microsoft recommended various mitigations, including the use of Microsoft Defender Antivirus, enabling network protection, and implementing investigation and remediation in a fully automated mode.
Immediate action is advised for addressing malicious activity on impacted devices, including system isolation, credential and token resets, and a thorough investigation of device timelines for potential lateral movement activities.