North Korean Hackers Behind Attacks On Supply Chain

Hackers with ties to the North Korean government are spreading malware that impersonates an authorized program made by CyberLink of Taiwan to compromise users farther down the line.

As part of a massive supply-chain assault, hackers from North Korea hacked CyberLink and distributed a modified installation file from the firm, according to Microsoft’s Threat Intelligence team.

Taiwanese software business CyberLink provides multimedia products, including PowerDVD and AI face recognition. CyberLink’s website claims over 200 technology patents and 400 million apps distributed globally.

CyberLink representative Melinda Ziemer informed the media that on November 11 that the installation file for Promeo, a video editing tool, included malware. After discovering the flaw, the cybersecurity team deleted it and added security steps to prevent it from occurring again, Ziemer said. None of the firm’s other apps were affected.

Microsoft detected suspicious activities in the modified CyberLink installation, LambLoad, on October 20, 2023. It has found the malware on over 100 machines in Japan, Taiwan, Canada, and the US.
Microsoft claims that the attackers signed the malicious executable using a CyberLink-issued code signing certificate and hosted the file on genuine update infrastructure. Microsoft’s Threat Intelligence team put this certificate on its prohibited certificate list to safeguard consumers from unauthorized usage.

Microsoft strongly suspects a North Korean nation-state actor, Diamond Sleet, affiliated with the infamous Lazarus hacker organization, of this assault.

Microsoft monitors Diamond Sleet (previously ZINC), a North Korean action organization that targets media, military, and IT companies worldwide. Diamond Sleet targets espionage, stolen personal and business data, and network disruption.

The hacker group Diamond Sleet often steals data from compromised computers, infiltrates software development environments, moves downstream to exploit other victims, and attempts to access victims’ surroundings permanently. Microsoft has not yet seen hands-on activity.

According to Microsoft, it informed CyberLink about the supply-chain breach; however, the software giant did not specify whether or not CyberLink had responded or done anything after receiving Microsoft’s notification. The business is also notified by Microsoft Defender for Endpoint users impacted by the malware.