Security News > 2023 > April > North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack

Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.

It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.

The attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.

Mandiant's forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that's designed to decrypt and load shellcode containing a "Complex downloader" labeled COLDCAT. "On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware," 3CX said.

MacOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.

3CX CEO Nick Galea, in a forum post last week, said the company is only aware of a "Handful of cases" where the malware was actually activated and that it's working to "Strengthen our policies, practices, and technology to protect against future attacks." An updated app has since been made available to customers.

News URL

https://thehackernews.com/2023/04/lazarus-sub-group-labyrinth-chollima.html