Microsoft alerts CyberLink to North Korean threat

Microsoft has alerted software company CyberLink to the misuse of its software by North Korean group Diamond Sleet. The cyber gang is believed to have injected malicious code into the program, infecting more than 100 targets.

The threat is described by the tech giant as “LambLoad [...] a weaponized downloader and loader containing malicious code added to a legitimate Cyberlink application.” Microsoft says it has been used to attack targets in Japan, Taiwan, Canada, and the US.

“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” it added.

The file was embedded in the software firm’s legitimate update infrastructure and includes features that enable it to evade detection by cybersecurity programs.

Microsoft said the campaign could be linked with “high confidence” to North Korean threat actor Diamond Sleet, noting that the attack vector bears hallmarks of one used in a previous attack linked to the group.

“The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet,” said Microsoft.

The tech giant says it has also seen the gang using “trojanized open-source and proprietary software” against IT, defense, and media organizations.

Microsoft says it has notified CyberLink of the problem, and also reported it to GitHub, which removed the second-stage payload portion of the Diamond Sleet malware from its forum.

The tech giant’s Defender for Endpoint software has been updated to flag the campaign as malicious activity attributed to the North Korean group.

Formerly known as ZINC, Diamond Sleet is said by Microsoft to be motivated by profit and focus on espionage, personal and corporate data theft, and network sabotage.