A North Korean threat group breached a Taiwanese software company and leveraged its systems to deliver malware to devices in North America and Asia, Microsoft reported this week.
The threat actor is tracked by the tech giant as Diamond Sleet (Zinc). Previously described as a sub-group of the notorious Lazarus, the hacker gang has been conducting attacks for data theft, espionage, destruction and financial gain. In the past, it was observed targeting security researchers, penetration testers, and cybersecurity and tech company employees.
Microsoft discovered recently that Diamond Sleet had targeted CyberLink Corp, a Taiwan-based software company specializing in audio, video and photo editing applications.
The hackers compromised the company’s systems and modified a legitimate application installer. They added malicious code designed to download, decrypt and load a second-stage payload.
The malicious version of the installer was signed with a valid CyberLink certificate and hosted on legitimate update infrastructure.
Microsoft started seeing activity related to this malicious installer on October 20, with the file reaching more than 100 devices in Japan, Taiwan, Canada and the United States.
The company tracks the malware as LambLoad. The threat is designed to check the compromised host for the presence of security software from CrowdStrike, FireEye and Tanium before executing malicious code — only the legitimate CyberLink application is run if such security products are detected.
Microsoft has not seen any hands-on-keyboard activity as part of this campaign, but noted that the threat actor is known to steal sensitive data from victims, compromise software build environments, move downstream to other victims, and establish persistent access.
Microsoft has made available indicators of compromise (IoCs) to help defenders detect Diamond Sleet activity on their network.