An investigation into last month’s 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds.
“We suspect there are a number of organizations that don’t yet know they are compromised,” Mandiant Consulting CTO Charles Carmakal told BleepingComputer.
“We’re hopeful that once we get this information out, it’ll help accelerate the process for companies to determine that they’re compromised and contain their incidents.”
The malicious installer for Trading Technologies’ X_TRADER software deployed the multi-stage modular backdoor VEILEDSIGNAL designed to execute shellcode, inject a communication module into Chrome, Firefox, or Edge processes, and terminate itself.
According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group (tracked as UNC4736) used harvested credentials to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.
“On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges,” .
“The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism.”
The malware achieved persistence through DLL side-loading via legitimate Microsoft Windows binaries, which made it harder to detect.
It also automatically loaded during start-up, granting attackers remote access to all compromised devices over the internet.
Links to Operation AppleJeus
Mandiant says UNC4736 is related to the financially motivated North Korean Lazarus Group behind [, , ], which by Google’s Threat Analysis Group (TAG) to the compromise of the www.tradingtechnologies[.] com website in a report from March 2022.
Based on infrastructure overlap, the cybersecurity firm also linked UNC4736 with two clusters of APT43 suspected malicious activity, tracked as UNC3782 and UNC4469.
“We determined UNC4736 is linked to the same North Korean operators based on the Trojanized X_TRADER app, distributed via the same compromised site mentioned in the TAG blog,” Fred Plan, Mandiant Principal Analyst for Google Cloud, told BleepingComputer.
“This, combined with similarities in TTPs, and overlap on other infrastructure, gives us moderate confidence that these operators are tied together.”
The 3CX supply-chain attack
On March 29, 3CX acknowledged that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, one day after surfaced
It took 3CX more than a week to react to customer reports that its software had been identified as malicious by several cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.
Nick Galea, the company’s CEO, also after the attack’s disclosure that a ffmpeg binary used by the 3CX desktop client may have been the initial intrusion vector. However, FFmpeg Galea’s allegations, saying that it only provides source code that has not been compromised.
3CX to uninstall its Electron desktop client from all Windows and macOS devices (a mass-uninstall script can be found ) and immediately switch to the progressive web application (PWA) Web Client App provides similar features.
In response to 3CX’s disclosure, a team of security researchers a web-based tool to assist the company’s customers in determining whether by the March 2023 supply chain attack.
According to the company’s official website, the 3CX Phone System has over 12 million daily users and is utilized by globally, including high-profile organizations and companies like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers.
“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” Mandiant said.
“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”