UPDATE--The supply chain attack at 3CX that was discovered last month was the result of an earlier supply chain attack against Trading Technologies that resulted in that company’s X_TRADER app being compromised. An employee at 3CX later installed that compromised app on a company machine, giving the attacker the initial access to 3CX’s environment, investigators have found.
The new findings are the result of an incident response investigation by Mandiant, who said this is the first example they’ve ever seen of one software supply chain attack leading directly to a second one. Mandiant is still investigating the sequence of events and researchers said it’s possible that there are other victim companies out there that have not been identified yet. The X_TRADER app had been retired in 2020 but was still available on the company’s website in 2022, which is when the attackers were able to compromise the Trading Technologies site and then later compromise the app.
“This is the first time we’ve ever seen a software supply chain attack lead to a supply chain attack at another company. This whole series of campaigns and multiple supply chain attacks shows an increase in the cyber offensive capabilities by North Korean threat actors,” said Charles Carmakal, consulting CTO at Mandiant.
On Friday, Symantec researchers said they have identified at least four other organizations that were victimized by the compromised X_TRADER app. Two of those victims were in the energy sector, with one in the United States and one in Europe. The other two organizations were in the financial industry.
The attack on 3CX first emerged last month, but began well before that. The attackers, who researchers at several security firms have identified as likely being part of the Lazarus Group, used a Google Chrome vulnerability that was a zero day at the time to compromise the Trading Technologies site in early 2022. The attackers eventually gained access to the company’s build environment and inserted malicious code into the X_TRADER app that led to the deployment of a backdoor Mandiant calls Veiledsignal. The installer for the compromised version of the trading app was signed with a legitimate certificate that was still valid at the time.
“The installer contains and executes setup.exe which drops two trojanized DLLs and a benign executable. The benign executable is used to side-load one of the malicious executables. Side-loading relies on legitimate Windows executables to load and execute a malicious file that has been disguised as a legitimate dependency. The loaded malicious executable contains and uses SIGFLIP and DAVESHELL to decrypt and load the payload into memory from the other dropped malicious executable,” Mandiant siad in a new post detailing the intrusions.
“The payload extracted from SIGFLIP and DAVESHELL extracts a modular backdoor from itself, VEILEDSIGNAL, and two corresponding modules. VEILEDSIGNAL relies on the two extracted modules as one is used for process injection, and the other to enable communications with the Command and Control (C2) infrastructure.”
The 3CX intrusion, which resulted in the attackers inserting malicious code into the Windows and macOS versions of the company’s desktop voice and messaging app, began when an employee downloaded and installed the compromised X_TRADER app. The payload extracted from the compromised 3CX app is different from the one in X_TRADER, but the techniques used to extract and run it are identical. Once inside the 3CX environment, the attackers used a proxy tool to move laterally on the network and eventually gain access to both the Windows and macOS build environments.
“On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges. The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism,” the Mandiant analysis says.
The Mandiant investigators said the initial intrusion at Trading Technologies falls in line with the historical financial focus of many of the known North Korean APT teams. The Lazarus Group in particular is known for targeting companies in the cryptocurrency realm, as well as banks and other financial institutions.
“This group has historically gone after cryptocurrency and shows that where North Korea is putting its best cyber teams is on the financially motivated stuff,” said Ben Read, director of cyber espionage analysis at Mandiant.
_This story was updated on April 21 to include new information from Symantec. _