November 24, 2023 at 07:36AM
A Taiwanese software company was breached by a North Korean threat group known as Diamond Sleet. The hackers manipulated a legitimate application installer to download and execute a malicious payload. Microsoft has detected their activity and provided indicators of compromise for detection. The threat actor is known for data theft and espionage.
During the meeting, it was reported that a North Korean threat group known as Diamond Sleet (Zinc), previously associated with the Lazarus hacker gang, breached a Taiwanese software company, CyberLink Corp. The hackers modified a legitimate application installer, adding malicious code to download and execute a second-stage payload. The compromised installer was signed with a valid CyberLink certificate and hosted on legitimate update infrastructure.
Microsoft discovered this activity on October 20 and observed the malicious installer reaching over 100 devices in Japan, Taiwan, Canada, and the United States. The malware, named LambLoad by Microsoft, checks for the presence of security software from CrowdStrike, FireEye, and Tanium before executing malicious code. If those security products are detected, only the legitimate CyberLink application is run.
While Microsoft has not witnessed any direct activity by the threat actors, it is known that Diamond Sleet steals sensitive data, compromises software build environments, and establishes persistent access. Microsoft has shared indicators of compromise (IoCs) to assist in detecting Diamond Sleet activity on networks.
This incident highlights the ongoing threat posed by North Korean hackers and the importance of maintaining robust cybersecurity measures.