Diamond Sleet supply chain compromise distributes a modified CyberLink installer
Contents
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised …
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised …
IoC
089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d
0a08d3601636378f0a7d64fd09e4a13b
166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be
8aa3877ab68ba56dabc2f2802e813dc36678aef4
915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1
https://cldownloader.github.io/logo.png
https://i.stack.imgur.com/NDTUM.png
https://mantis.jancom.pl/bluemantis/image/addon/addin.php
https://update.cyberlink.com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/Cyb
https://update.cyberlink.com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Pr
https://www.webville.net/images/CL202966126.png
https://zeduzeventos.busqueabuse.com/wp-admin/js/widgets/sub/wids.php
0a08d3601636378f0a7d64fd09e4a13b
166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be
8aa3877ab68ba56dabc2f2802e813dc36678aef4
915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1
https://cldownloader.github.io/logo.png
https://i.stack.imgur.com/NDTUM.png
https://mantis.jancom.pl/bluemantis/image/addon/addin.php
https://update.cyberlink.com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/Cyb
https://update.cyberlink.com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Pr
https://www.webville.net/images/CL202966126.png
https://zeduzeventos.busqueabuse.com/wp-admin/js/widgets/sub/wids.php