FB pixel

Microsoft discovers North Korean malware in legitimate CyberLink downloader

Categories Biometrics News
Microsoft discovers North Korean malware in legitimate CyberLink downloader

A supply chain attack originating in North Korea and Trojanized in an application installer from Taiwanese facial recognition provider CyberLink has overtones of a James Bond film.

According to a bulletin on the Microsoft Threat Intelligence blog, threat actors known as Diamond Sleet targeted foreign financial institutions on behalf of the Lazarus Group, a hacker agency for the DPRK. Malicious code embedded in the legitimate CyberLink application checks for the presence of specific security software. If the specified software is not installed, the sinister installer downloads, decrypts and then loads a second-stage payload disguised as a PNG file, which interacts with infrastructure previously compromised by Diamond Sleet.

The modified file, says the MS Threat Intelligence team, “was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.” More than 100 devices have been impacted across several countries, including Taiwan, Canada and the U.S.

Microsoft says it first observed suspicious activity associated with the CyberLink installer in October of this year. The compromised certificate has now been added to Microsoft’s disallowed certificates list and relevant parties have been notified, including MS Defender for Endpoint customers who were affected by the attack, and GitHub, which has removed the second-stage payload per its acceptable use policies.

Microsoft is continuing to track the weaponized application and associated payloads as “LambLoad.”

The name’s Sleet – Diamond Sleet

Exactly who or what is the mysterious Diamond Sleet? The digital espionage organization backed by Kim Jong-Un’s government targets media, defense and IT industries with data theft and attacks on corporate networks.

Microsoft has not yet identified “hands-on keyboard activity carried out after compromise with this malware,” and the post does not indicate any compromise of biometric data. But it says it has high confidence that the attack came from Diamond Sleet, which has a history of using similar Trojan horse tactics to infiltrate software build environments and move its malware downstream. Active since 2013, Diamond Sleet operates under the umbrella of the shadowy Lazarus Group, a formerly illegal but now government-sanctioned hacker agency known variously as Guardians of Peace, ZINC, BlueNoroff and Hidden Cobra.

Western leaders have attributed a number of major cyberattacks in recent years to the Lazarus Group, including the high-profile 2014 attack on Sony Pictures, Operation Ghost Secret, DarkSeoul, WannaCry and Ten Days of Rain.

Microsoft says it will add any necessary updates on the CyberLink issue to the Threat Intelligence post, which also includes recommendations for how to avoid the attack and mitigate its impact.

CyberLink’s facial recognition software received cybersecurity certification from a South Korean government body in September.

Article Topics

 |   |   | 

Latest Biometrics News


Groups reject expiry date for digital ID cards in Kenya as govt defends move

Some civil society organizations in Kenya say they want an explanation from the government with regard to the institution of…


Idemia forensic software extracts human faces, tattoos for investigative leads

Even when a facial recognition system is integrated within a state or federal investigative agency, human intervention is necessary. In…


Nearly three quarters of U.S. adults worry deepfakes could sway election: Jumio

The hour is ripe for political deepfakes. The U.S. presidential elections are still four months away, and the campaign has…


Controversial US privacy bill rewritten again, but path still unclear

The already controversial American Privacy Rights Act of 2024 (APRA), which was originally introduced in April by U.S. Senate Commerce…


Selective disclosure and zero-knowledge proofs: Examining the latest revision of ETSI TR 119 476

By Sebastian Elfors, Senior Architect at IDnow In July 2024, the European Telecommunications Standards Institute (ETSI) published an updated revision of…


Contractor needed for project to identify civil registration hurdles in Chad

A request for the Expression of Interest (EOI) has been launched for a consultancy firm to identify challenges that stand…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events