Enterprise communications services provider 3CX confirmed that a supply chain attack targeting its desktop applications for Windows and macOS was the work of threat actors with North Korea’s nexus.
The findings are the result of an interim assessment conducted by Google’s Mandiant, whose service was listed after the intrusion was uncovered late last month. The threat intelligence and incident response unit is currently tracking activity under the uncategorized moniker UNC4736.
It should be noted that cybersecurity firm CrowdStrike linked the attack to a Lazarus sub-group nicknamed Labyrinth Chollima, citing tactical overlap.
The chain of attack, based on analysis from several security vendors, entails using a DLL sideloading technique to load an information thief known as ICONIC Stealer, followed by a second stage called Gopuram in selective attacks aimed at crypto companies.
Mandiant forensic investigations have now revealed that the threat actor infected 3CX systems with malware codenamed TAXHAUL designed to decrypt and load shell code containing a “complex downloader” labeled COLDCAT.
“On Windows, attackers use DLL sideloading to defend TAXHAUL malware,” 3CX said. “The persistence mechanism also ensures the attacker’s malware is loaded at system startup, allowing the attacker to maintain remote access to the infected system via the internet.”
The macOS systems targeted in the attack are said to have been backdoored using another type of malware referred to as SIMPLESEA, a C-based malware that communicates over HTTP to execute shell commands, transfer files, and update configurations.
Malware families detected in 3CX environments have been observed contacting at least four command-and-control (C2) servers: azureonlinecloud(.)com, akamaicontainer(.)com, journalide(.)org, and msboxonline(.)com .
3CX CEO Nick Galea, at a forum posts last week, said the company was only aware of “a few cases” where the malware actually activated and was working to “strengthen our policies, practices and technologies to protect against future attacks.” A updated application it has since been made available to customers.
It is currently undetermined how threat actors managed to get into the 3CX network, and whether that required weaponizing known or unknown vulnerabilities. Supply chain compromises are being tracked under identifiers CVE-2023-29059 (CVSS score: 7.8).