N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a “software supply chain attack lead to another software supply chain attack.”
The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.
“The malicious application next attempts to steal sensitive information from the victim user’s web browser,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. “Specifically it will target the Chrome, Edge, Brave, or Firefox browsers.”
Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that’s capable of running additional commands and interacting with the victim’s file system.
Mandiant’s investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.
It described the initial intrusion vector as “a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.”
This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that’s camouflaged as a legitimate dependency.
The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that’s capable of sending data, executing shellcode, and terminating…
