Beginning on at least 20 October 2023, a North Korea-linked threat actor, tracked as Diamond Sleet by Microsoft, leveraged a modified CyberLink installer to compromise victim assets. CyberLink Corp. is a Taiwan-based multimedia software company that develops media editing and recording software.
The malicious installer was a legitimate CyberLink file hosted on CyberLink’s infrastructure and signed with a valid certificate issued by CyberLink Corp., that was modified to include malicious code that could download, decrypt, and load a second-stage payload onto victim devices. Based on the filename, the threat actors may have been targeting users of the CyberLink Promeo product. However, as filenames can be easily changed and this is a newly identified supply chain compromise, the campaign could impact additional CyberLink products.
Based on Microsoft’s telemetry, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. Although specific industries were not highlighted, Diamond Sleet has historically targeted organisations within the information technology, defense, and media industries. Microsoft observed the second-stage payload communicating with infrastructure previously compromised by Diamond Sleet. However, no follow on or hands-on-keyboard activity was observed after the second-stage payload was received.
CyberLink has been notified about the malicious installer and the second-stage payload hosted on GitHub has been removed.
Recommendation #1: Query Environment for Known Indicators of Compromise
If your organisation leverages CyberLink products within your environment, we strongly recommend querying your environment for known malicious indicators of compromise (IOCs) identified by Microsoft. Additionally, leverage the IOCs to implement detections and firewall rules to detect and prevent future exploitation. The IOCs can be found here.