Mandiant Attributes 3CX Supply Chain Attack to North Korean Activity Cluster
On April 11, 2023, 3CX reported that Mandiant - who investigated the supply chain attack using a digitally signed 3CXDesktopApp installer - attributes the attack to an activity cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus. [1]
Mandiant´s assessment corroborates findings from Crowdstrike [2] and Kaspersky [3] who analyzed the infected 3CXDesktopApp. Kaspersky discovered a backdoor - dubbed Gopuram - that the company links to North-Korean-backed Lazarus group, an umbrella organization containing multiple threat actor subgroups. Crowdstrike´s analysis of the payload concluded that the “HTTPS beacon structure and encryption key match those observed in a March 7, 2023, campaign”. Crowdstrike attributes the pattern with high confidence to a Democratic People’s Republic of Korea (DPRK) adversary tracked LABYRINTH CHOLLIMA.
3CX did not disclose how the actor initially compromised its network.
Mandiant analysis revealed the actor infected 3CX systems with a loader named TAXHAUL (aka “TxRLoader”). The loader decrypts and executes shellcode, eventually installing the final payload dubbed COLDCAT. Mandiant noted that COLDCAT differs from GOPURAM, a malware observed by Kaspersky. Mandiant also detected a MacOS variant named SIMPLESEA.
The post 3CX Incident Attributed to North Korea; New LockBit MacOS Sample appeared first on Security Boulevard.
Article Link: 3CX Incident Attributed to North Korea; New LockBit MacOS Sample - Security Boulevard