The supply chain attack targeting 3CX was the result of a previous supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Mandiant belongs to Google, which tracks attack events under the moniker UNC4736, said the incident marked the first time that a “software supply chain attack led to another software supply chain attack.”
The Matryoshka doll-style cascading attack against 3CX was first uncovered on March 29, 2023, when it was discovered that the Windows and macOS versions of its communications software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer via a downloader, SUDDENICON, which uses an icon file that hosted on GitHub to extract the server containing the thief.
“The malicious application then attempts to steal sensitive information from the victim’s user’s web browser,” US Cyber and Infrastructure Security Agency (CISA) said in malware analysis. “Specifically it will target Chrome, Edge, Brave, or Firefox browsers.”
Certain attacks targeting cryptocurrency companies also require the deployment of a next-stage backdoor called Gopuram that is capable of executing additional commands and interacting with the victim’s file system.
Mandiant’s investigation into the present sequence of events has revealed patient zero to be a malicious version of now-discontinued software provided by a fintech company called Trading Technologies, which 3CX employees download onto their personal computers.
It describes the initial intrusion vector as “a software package containing malware distributed via prior software supply chain compromise that started with a tampered installer for X_TRADER.”
This rogue installer, in turn, contains a setup binary that removes two trojan DLLs and a harmless executable, the latter of which is used to load one of the DLLs disguised as legitimate dependencies.
The attack chain then leverages open source tools such as SIGFLIP And DAVESHELL to finally extract and run VEILEDSIGNAL, a multi-stage modular backdoor written in C capable of sending data, executing shell code, and terminating itself.
The initial compromise of an employee’s personal computer using VEILEDSIGNAL allowed the threat actor to obtain the individual’s company credentials, two after which the first unauthorized access to his network occurred via a VPN by leveraging the stolen credentials.
In addition to identifying tactical similarities between the compromised X_TRADER and 3CXDesktopApp applications, Mandiant found that the threat actor then moved laterally within the 3CX environment and breached the Windows and macOS build environments.
“In a Windows build environment, the attacker used the TAXHAUL launcher and COLDCAT downloader which survive by side-loading DLLs via the IKEEXT service and running with LocalSystem privileges,” Mandiant said. “A macOS build server compromised with a POOLRAT backdoor using Launch Daemons as a persistence mechanism.”
POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a macOS C/C++ implant capable of gathering basic system information and executing arbitrary commands, including executing file operations.
UNC4736 is suspected as a threat group with North Korea’s nexus, an assessment corroborated by ESET’s findings of overlapping command-and-control (C2) domains (journalide(.)org) used in supply chain attacks and attacks in a Lazarus Group campaign called Operation Dream Job.
Evidence amassed by Mandiant suggests the group shows similarities to another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.
What’s more, a breach of Trading Technologies’ website is said to have occurred in early February 2022 by weaponizing a then-flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payload to site visitors.
“The site www.tradingtechnologies(.)com was compromised and hosted a hidden IFRAME to exploit visitors, just two months before the site was found to be shipping the trojanized X_TRADER software package,” Mandiant explained.
Another link linking it to AppleJeus is the previous threat actor’s use of an older version of POOLRAT as part of long term campaign deploying trap trading apps like CoinGoTrade to facilitate cryptocurrency theft.
The entire scale of the campaign remains unknown, and it is currently unclear whether the compromised X_TRADER software was used by other companies. The platform was purportedly decommissioned in April 2020, but will still be available for download from the site in 2022.
3CX, in a renew shared on April 20, 2023, said it was taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, combining tools to ensure its software integrity, and establishing a new department for Operations and Security Network.
“The multilevel software supply chain compromise demonstrates that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korean interests,” Mandiant said.