Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
To address the potential risk of further attacks against our customers, Microsoft has taken the following steps to protect customers in response to this malicious activity:
- Microsoft has communicated this supply chain compromise to CyberLink
- Microsoft is notifying Microsoft Defender for Endpoint customers that have been targeted or compromised in this campaign
- Microsoft reported the attack to GitHub, which removed the second-stage payload in accordance with its Acceptable Use Policies
- Microsoft has added the CyberLink Corp. certificate used to sign the malicious file to its disallowed certificate list
- Microsoft Defender for Endpoint detects this activity as Diamond Sleet activity group.
- Microsoft Defender Antivirus detects the malware as Trojan:Win32/LambLoad.
Microsoft may update this blog as additional insight is gained into the tactics, techniques, and procedures (TTPs) used by the threat actor in this active and ongoing campaign.
