Microsoft has reported that a North Korean hacking group, Diamond Sleet, executed a supply chain attack on CyberLink, a Taiwanese multimedia software company. The hackers trojanized one of CyberLink’s installers, using a valid code signing certificate issued to CyberLink for the malicious executable.
This trojanized installer has been discovered on more than 100 devices worldwide, impacting regions such as Japan, Taiwan, Canada, and the United States. The second-stage payload of the attack, identified as LambLoad, interacts with infrastructure previously compromised by the same threat actors.
The supply chain attack is suspected to have originated as early as October 20, 2023, with the trojanized installer being hosted on legitimate CyberLink update infrastructure. Microsoft has attributed the attack to Diamond Sleet with high confidence, adding the compromised certificate to its disallowed certificate list to prevent future misuse.
The attackers utilized a valid code signing certificate issued to CyberLink Corp., giving their malicious executable an appearance of legitimacy. The second-stage payload, LambLoad, functions as a downloader and loader, with its operation dependent on whether specific security software is present on the targeted systems.
Microsoft’s detection and response to the supply chain attack involved informing CyberLink and notifying affected Microsoft Defender for Endpoint users. Additionally, Microsoft reported the attack to GitHub, resulting in the removal of the second-stage payload according to GitHub’s Acceptable Use Policies.
The attack highlights the ongoing threat of state-sponsored cyberespionage groups engaging in supply chain attacks to compromise software distribution channels and infiltrate target systems globally. The use of a legitimate code signing certificate adds a layer of sophistication to the attack, emphasizing the need for enhanced cybersecurity measures and vigilance in protecting software supply chains.
