Microsoft alerts CyberLink to North Korean threat

This post is also available in: עברית (Hebrew)

Microsoft has alerted the software company CyberLink regarding the misuse of its software by the North Korean group “Diamond Sleet”, a cyber gang that is believed to have injected malicious code into the program, thus infecting more than a hundred targets.

CyberLink describes the threat as “LambLoad […] a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application.” According to Microsoft, this method has been used to attack targets in Japan, Taiwan, Canada, and the US.

According to Cybernews, this malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file was embedded in the software firm’s legitimate update infrastructure and includes features that enable it to evade detection by cybersecurity programs.

Microsoft has said that the campaign could be linked with “high confidence” to the North Korean threat actor called “Diamond Sleet”, noting that the attack vector bears the identifying marks of one used in a previous attack linked to the group. “The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet,” said Microsoft.

Diamond Sleet, formerly known as ZINC, is said to be motivated by profit and focus on espionage, personal and corporate data theft, and network sabotage, this according to Microsoft.

The company has also seen the gang using “trojanized open-source and proprietary software” against IT, defense, and media organizations. Microsoft claims it has notified CyberLink of the problem, and also reported it to GitHub, which removed the second-stage payload portion of the Diamond Sleet malware from its forum.

The company’s ‘Defender for Endpoint’ software has been updated to flag the campaign as malicious activity that is attributed to the North Korean group.