An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says
Threat hunters traced it back to malware-laced Trading Technologies' software
The supply-chain attack against 3CX last month was caused by an earlier supply-chain compromise of a different software firm — Trading Technologies — according to Mandiant, whose consulting crew was hired by 3CX to help the VoIP biz investigate the intrusion.
For those who missed it, someone was able to tamper with 3CX's desktop app and slip malware into it, which was then downloaded by customers. How exactly that happened, well, that's why Mandiant was brought in.
"This is the first time that we've ever found concrete evidence of a software supply chain attack leading to another software supply chain attack," Mandiant Consulting CTO Charles Carmakal told reporters on Wednesday.
This, of course, also means that 3CX probably wasn't the only company compromised in the earlier supply-chain attack.
"What we are concerned about is that there are likely victims from before that haven't yet discovered that they are a victim, and will likely discover that they were compromised as we get this information out," Carmakal said.
Mandiant attributes both supply chain attacks to North Korean criminals it tracks as UNC4736, which the threat hunters say probably isn't a new group, and they assess with "moderate confidence" that this group of miscreants is related to another financially motivated North Korean crew behind the AppleJeus cryptocurrency malware.
The original Trading Technologies compromise happened at least a year ago, according to Carmakal, who cited a malicious X_Trader software package available for download on the financial trading biz's website in early 2022. North Korean miscreants had tampered with the X_Trader installer, injecting it with a malicious backdoor called VEILEDSIGNAL that was digitally signed in late 2021.
"So reasonably the intrusion occurred sometime before November 2021, but we don't know exactly when that occurred for Trading Technologies," Carmakal said. "In terms of the actual distribution of compromise software for 3CX, it's our understanding that that occurred in 2023."
In 2023, a 3CX employee downloaded the malware-laced X_Trader software. This allowed the attacker to compromise the employee's computer, deploy a bunch of malware, move laterally through the 3CX environment and ultimately infect the 3CX DesktopApp software with malware-laden code that was available for download on the 3CX website.
Mandiant today published a technical analysis of the supply-chain attack and the malware that miscreants used. The malicious X_Trader installer, we're told, contained the VEILEDSIGNAL backdoor and two trojanized executable files.
The executables contain and use SIGFLIP and DAVESHELL to decrypt and load the payload into memory, and the payload extracts the modular VEILEDSIGNAL backdoor, which communicates with the command-and-control server, executes code, and can terminate itself.
- 3CX thought supply chain attack was a false positive
- Do you use comms software from 3CX? What to do next after biz hit in supply chain attack
- Another year, another North Korean malware-spreading, crypto-stealing gang named
- Snap CISO: I rate software supply chain risk 9.9 out of 10
Additionally, the attacker used a compiled version of the publicly available Fast Reverse Proxy project to move laterally within 3Cx, compromising both Windows and macOS build environments, Mandiant noted.
"On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges," according to the analysis. "The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism."
The attacker injected malicious code into 3CX's legitimate software to run a downloader, SUDDENICON, which receives additional C2 servers from encrypted icon files hosted on GitHub. "The decrypted C2 server is used to download a third stage identified as ICONICSTEALER, a dataminer that steals browser information," Mandiant said.
These type of apparent state-sponsored intrusions, especially from North Korean crime gangs, tend to be "espionage related or financially motivated in nature," Carmakal said. "A lot of times the dwell time are several months or can be several years. That's an important point to note, that we will very likely over time discover more victims." ®