North Korean Hackers Attack Software Installers in America, Asia

Microsoft Threat Intelligence has unveiled malicious activity from North Korean hackers targeting software installers in North America and the Asia Pacific.

According to the report, the incident comprised a supply chain attack using a modified version of an application installer developed by Taiwanese multimedia software company CyberLink.

Microsoft suspects that the criminals involved are affiliated with the Pyongyang-backed cyber group Diamond Sleet, notorious for converting open-source and proprietary software into trojan malware to attack defense, communication, and media sectors.

The latest attack resulted in the infection of CyberLink’s installer solution, corrupting associated devices and networks when the impacted application was updated.

Code used for the malware has also been signed using a valid certificate for CyberLink. This approach enabled the virus to be hosted by CyberLink’s own infrastructure, become legitimate, and evade detection by the company’s digital security measures.

“Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet is known to use a variety of custom malware that is exclusive to the group,” Microsoft wrote.

“Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023.”

“The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.”

Actors from China

Microsoft recorded a separate case in early November from a Chinese hacking group focused on disrupting credential access and networks throughout Guam and other US territories.

The threats were identified as the Volt Typhoon, which pursues espionage and related information-gathering campaigns on vital infrastructure organizations.