Lazarus X_TRADER Hack Affects Critical Infrastructure Beyond 3CX Breach

April 22, 2023Ravie LakshmananSupply Chain / Cyber ​​Threats

Lazarus, the prolific North Korean hacking group behind the supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the X_TRADER trojan application.

New findings, originating from Symantec Threat Hunter Team, confirming earlier suspicions that the X_TRADER app compromise affected more organizations than 3CX. The names of the organizations were not disclosed.

Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks occurred between September 2022 and November 2022.

“The impact of this infection is unknown at this time – further investigation is needed and is ongoing,” Chien said, adding there may be “the possibility of more of this story and possibly even other packages being trojanized.”

The developments come as Mandiant disclosed that a 3CX desktop application software compromise last month was facilitated by another software supply chain breach targeting X_TRADER in 2022, which employees downloaded onto their personal computers.

It is currently unclear how UNC4736, a North Korean communications actor, tampered with X_TRADER, trading software developed by a company called Trading Technologies. While the service was discontinued in April 2020, it was still available for download on the company’s website until last year.

Mandiant’s investigation has revealed that a backdoor (dubbed VEILEDSIGNAL) injected into the corrupted X_TRADER application allowed adversaries to gain access to employees’ computers and siphon their credentials, which were then used to penetrate the 3CX network, move sideways, and compromise Windows and macOS builds. environment to insert malicious code.

The broadly linked attacks appear to have substantial overlap with previous North Korean-aligned groups and campaigns that have historically targeted cryptocurrency firms and carried out financially motivated attacks.

The Google Cloud subsidiary has judged with “moderate confidence” that the activity is related to AppleJeus, a persistent campaign targeting crypto companies for financial theft. Cybersecurity firm CrowdStrike previously linked the attack to a Lazarus cluster it called Labyrinth Chollima.

The same adversarial collective was previously linked by the Google Threat Analysis Group (TAG) to the Trading Technologies website which was compromised in February 2022 to present an exploit kit that took advantage of a zero-day flaw in the Chrome web browser.

ESET, in an analysis of a different Lazarus Group campaign, disclosed a new piece of Linux-based malware called SimplexTea that shares the same network infrastructure identified as used by UNC4736, further expanding existing evidence that the 3CX hack was orchestrated by North Korean threat actors.

“(Mandiant’s) findings about the second supply chain attack responsible for the 3CX compromise are revelations that Lazarus may increasingly turn to this technique to gain early access in their target network,” ESET malware researcher Marc-Etienne M.Léveillé told The Hacker News .

The compromise of the X_TRADER application further alludes to the attacker’s financial motivations. Lazarus (also known as HIDDEN COBRA) is an umbrella term for a combination of several subgroups based in North Korea that engage in espionage and cybercrime activities on behalf of the Hermit Kingdom and circumvent international sanctions.

Symantec’s infection chain breakdown enforced the implementation of the VEILEDSIGNAL modular backdoor, which also incorporates a process injection module that can be injected into Chrome, Firefox, or Edge web browsers. The module, for its part, contains a dynamic link library (DLL) that links to the Trading Technologies for command-and-control (C2) website.

“The discovery that 3CX was breached by other previous supply chain attacks means further organizations will be affected by this campaign, which is now much more widespread than originally believed,” Symantec concluded.