latest news of the deep world

North Korean Cyber Criminals Used a Cascading Supply Chain Attack in the Style of a Matryoshka Doll on 3CX

May 12, 2023
North Korean Cyber Criminals Used a Cascading Supply Chain Attack in the Style of a Matryoshka Doll on 3CX

A supply chain attack directed at 3CX was caused by an earlier supply chain compromise linked to another company, indicating a higher degree of sophistication among North Korean threat actors.

The strike, monitored by Mandiant (owned by Google) and referred to as UNC4736, represents the first case in which a “software supply chain attack” led to another similar attack.

A Matryoshka doll-style cascading supply chain attack was uncovered on March 29, 2023, targeting 3CX. The attack trojanized Windows and macOS versions of the company’s communication software to distribute a C/C++-based data miner, ICONIC Stealer, via a downloader named SUDDENICON. T

The malware targeted users of web browsers such as Chrome, Edge, Brave, and Firefox, attempting to extract sensitive information, as per the U.S. Cybersecurity and CISA analysis. In some cryptocurrency-related attacks, a next-stage backdoor called Gopuram was employed, permitting contact with the individual’s directory system and the executing of further operations.

Malicious Software Supply Breach

Mandiant reported that the recent cyber attack originated from a tainted version of a discontinued software downloaded by a 3CX worker to their personal computer. The attack began with a compromised X_TRADER installer that introduced two trojanized DLLs and an innocuous executable file, which allowed the loading of one of the DLLs that impersonates a genuine dependency.

Cyber criminals used open source tools SIGFLIP and DAVESHELL to install VEILEDSIGNAL, a programmable entryway with multiple stages in C, to extract data, execute shellcode, and self-terminate. The backdoor was used to infiltrate an employee’s computer and obtain corporate credentials, which were used to access 3CX’s network through a VPN.

The hackers expanded their reach by disregarding the build environments for Windows and Mac using such tools as TAXHAUL, COLDCAT, and POOLRAT, enabling them to maintain persistence and access privileges.

North Korean-linked UNC4736 and Lazarus Group shared a command-and-control domain in Operation Dream Job. Mandiant linked the Trading Technologies breach to financially motivated Operation AppleJeus, which abused a Chrome zero-day to infect visitors with a trojanized X_TRADER package. AppleJeus used POOLRAT to spread malicious trading apps. The attack’s scope is unknown, and 3CX implemented security measures. North Korean operators can distribute malware according to their interests.

Leave a Reply

Your email address will not be published. Required fields are marked *