FB pixel

Microsoft discovers North Korean malware in legitimate CyberLink downloader

Microsoft discovers North Korean malware in legitimate CyberLink downloader
 

A supply chain attack originating in North Korea and Trojanized in an application installer from Taiwanese facial recognition provider CyberLink has overtones of a James Bond film.

According to a bulletin on the Microsoft Threat Intelligence blog, threat actors known as Diamond Sleet targeted foreign financial institutions on behalf of the Lazarus Group, a hacker agency for the DPRK. Malicious code embedded in the legitimate CyberLink application checks for the presence of specific security software. If the specified software is not installed, the sinister installer downloads, decrypts and then loads a second-stage payload disguised as a PNG file, which interacts with infrastructure previously compromised by Diamond Sleet.

The modified file, says the MS Threat Intelligence team, “was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.” More than 100 devices have been impacted across several countries, including Taiwan, Canada and the U.S.

Microsoft says it first observed suspicious activity associated with the CyberLink installer in October of this year. The compromised certificate has now been added to Microsoft’s disallowed certificates list and relevant parties have been notified, including MS Defender for Endpoint customers who were affected by the attack, and GitHub, which has removed the second-stage payload per its acceptable use policies.

Microsoft is continuing to track the weaponized application and associated payloads as “LambLoad.”

The name’s Sleet – Diamond Sleet

Exactly who or what is the mysterious Diamond Sleet? The digital espionage organization backed by Kim Jong-Un’s government targets media, defense and IT industries with data theft and attacks on corporate networks.

Microsoft has not yet identified “hands-on keyboard activity carried out after compromise with this malware,” and the post does not indicate any compromise of biometric data. But it says it has high confidence that the attack came from Diamond Sleet, which has a history of using similar Trojan horse tactics to infiltrate software build environments and move its malware downstream. Active since 2013, Diamond Sleet operates under the umbrella of the shadowy Lazarus Group, a formerly illegal but now government-sanctioned hacker agency known variously as Guardians of Peace, ZINC, BlueNoroff and Hidden Cobra.

Western leaders have attributed a number of major cyberattacks in recent years to the Lazarus Group, including the high-profile 2014 attack on Sony Pictures, Operation Ghost Secret, DarkSeoul, WannaCry and Ten Days of Rain.

Microsoft says it will add any necessary updates on the CyberLink issue to the Threat Intelligence post, which also includes recommendations for how to avoid the attack and mitigate its impact.

CyberLink’s facial recognition software received cybersecurity certification from a South Korean government body in September.

Related Posts

Article Topics

 |   |   | 

Latest Biometrics News

 

Biden executive order prioritizes privacy-preserving digital ID, mDLs

In one of his last official acts as President, Joe Biden on Thursday issued a robust new executive order (EO)…

 

Problem with police use of facial recognition isn’t with the biometrics

A major investigation by the Washington Post has revealed that police in the U.S. regularly use facial recognition as the…

 

Sri Lanka considers another tender to solve passport crisis

Sri Lanka’s government is likely to open another tender for e-passports after a legal dispute caused a backlog of thousands…

 

Age assurance gets warm early response from U.S. Supreme Court

The U.S. Supreme Court appears to be leaning toward support for Texas’ age assurance law, as it weighs a host…

 

State of passkeys 2025: passkeys move to mainstream

More than 1 billion people have activated at least one passkey according to the FIDO Alliance – an astonishing number…

 

Ofcom publishes highly anticipated age assurance statement

Ofcom has published its Age Assurance and Children’s Access Statement. The much-anticipated statement includes guidance on “highly effective age assurance”…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events