Security News > 2023 > April > North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.
It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.
The attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.
Mandiant's forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that's designed to decrypt and load shellcode containing a "Complex downloader" labeled COLDCAT. "On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware," 3CX said.
MacOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.
3CX CEO Nick Galea, in a forum post last week, said the company is only aware of a "Handful of cases" where the malware was actually activated and that it's working to "Strengthen our policies, practices, and technology to protect against future attacks." An updated app has since been made available to customers.
News URL
https://thehackernews.com/2023/04/lazarus-sub-group-labyrinth-chollima.html
Related news
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- North Korean hackers pave the way for Play ransomware (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)