An investigation into last month’s 3CX supply chain attack found it was caused by another supply chain compromise, in which suspected North Korean attackers targeted the website of stock trading automation company Trading Technologies to push trojanized software builds.
“We suspect there are a number of organizations that are not yet aware that they are compromised,” Charles Carmakal, CTO of Mandiant Consulting, told BleepingComputer.
“We hope that once we release this information, it will help expedite the process for organizations to determine they are compromised and contain their incidents.”
The rogue installer for Trading Technologies’ X_TRADER software employed the multi-stage modular backdoor VEILEDSIGNAL, designed to execute shellcode, inject a communication module into Chrome, Firefox or Edge processes, and terminate itself.
According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group (tracked as UNC4736) used collected credentials to move laterally through 3CX’s network and eventually both the Windows and macOS build environments to hurt.
“In the Windows build environment, the attacker deployed the TAXHAUL launcher and the COLDCAT downloader, which persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges,” Mandiant said.
“The macOS build server was compromised with the POOLRAT backdoor using LaunchDaemons as the persistence mechanism.”
The malware achieved persistence by sideloading DLLs over legitimate Microsoft Windows binaries, making detection difficult.
It also loads automatically during startup and grants attackers remote access to any compromised device over the internet.
Links to Operation AppleJeus
According to Mandiant, UNC4736 is linked to the financially motivated North Korean Lazarus group behind Operation AppleJeus [1, 2, 3]which was also linked to the compromise of www.tradingtechnologies by Google’s Threat Analysis Group (TAG).[.] com website in a March 2022 report.
Due to infrastructure overlaps, the cybersecurity firm also linked UNC4736 to two clusters of suspected malicious activity from APT43, tracked as UNC3782 and UNC4469.
“We found that UNC4736 is linked to the same North Korean operators based on the trojanized X_TRADER app distributed through the same compromised website mentioned in the TAG blog,” said Fred Plan, Mandiant Principal Analyst for Google Cloud, to BleepingComputer.
“This, combined with similarities in TTPs and overlaps with other infrastructure, gives us some confidence that these operators are interconnected.”
The 3CX Supply Chain Attack
On March 29, 3CX admitted that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, a day after news of a supply chain attack surfaced
It took 3CX more than a week to respond to customer reports that its software had been identified as malicious by multiple cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.
So did Nick Galea, the company’s CEO called after disclosure of the attack that an ffmpeg binary used by the 3CX desktop client could have been the initial attack vector. However, FFmpeg denied Galea claims that it only provides source code that has not been compromised.
3CX advised customers to uninstall their Electron desktop client from all Windows and macOS devices (a bulk uninstall script can be found here) and immediately switch to the Progressive Web Application (PWA) Web Client App, which offers similar functionality.
In response to the 3CX disclosure, a team of security researchers created a web-based tool to help the company’s customers determine if their IP address may have been affected by the March 2023 supply chain attack.
According to the company’s official website, 3CX Phone System has over 12 million daily users and is used by more than 600,000 companies worldwide, including high-profile organizations and companies such as American Express, Coca-Cola, McDonald’s, Air France, IKEA, etc. UK National Health Service and several automakers.
“The identified software supply chain compromise is the first that we are aware has led to another software supply chain compromise,” Mandiant said.
“This shows the potential reach of this type of compromise, particularly when an attacker can chain attacks, as demonstrated in this investigation.”