Microsoft’s Threat Intelligence team has discovered that a North Korean hacker group is distributing a rogue version of a legitimate application from Taiwanese software manufacturer CyberLink. The group is said to have carried out a supply chain attack for this purpose.
According to Microsoft it concerns the North Korean group Diamond Sleet, better known as Lazarus. This group allegedly managed to modify an official CyberLink installation file by adding the rogue Lambload executable. The Threat Intelligence team does not say which CyberLink application is involved. However, the Indicators of Compromise mentions the video and photo editing software Promeo.
According to Microsoft, the file is hosted on CyberLink’s legitimate update infrastructure and is signed with a valid CyberLink certificate. Microsoft has added the latter to its list of disallowed certificates, “so that customers are protected from malicious use in the future.”
When users download the software containing the malicious code, Lambload first checks whether the host is using a virtualized environment and checks for the presence of specific security software: FireEye, CrowdStrike or Tanium. If the user uses one of these three or a virtualized environment, no further malicious code will be executed. If not, an additional payload is downloaded and executed to infect the system.
Microsoft claims it has found the malicious installer on more than a hundred devices. However, no hands-on-keyboard activity has yet been detected following an attack via this malware, the company said. It is therefore not yet entirely clear what the purpose of the CyberLink malware is. However, according to Microsoft, the Lazarus hacker group has stolen sensitive data from attacked devices and compromised ‘software build environments’ on several occasions in the past. Microsoft says it has notified CyberLink of this attack. However, there is no mention of the company’s response or whether any action will be taken.