Apr 12, 2023Ravie Lakshmanan
Enterprise communications service provider 3CX confirmed that
the supply chain attack[1]
targeting its desktop application for Windows and macOS was the
handiwork of a threat actor with North Korean nexus.
The findings are the result of an interim assessment conducted
by Google-owned Mandiant, whose services were enlisted after the
intrusion came to light late last month. The threat intelligence
and incident response unit is tracking the activity under its
uncategorized moniker UNC4736.
It’s worth noting that cybersecurity firm CrowdStrike has
attributed the attack to a Lazarus sub-group dubbed Labyrinth
Chollima, citing tactical overlaps.
The attack chain[2], based on analyses from
multiple security vendors, entailed the use of DLL side-loading
techniques to load an information stealer known as ICONIC Stealer,
followed by a second-stage called Gopuram[3]
in selective attacks aimed at crypto companies.
Mandiant’s forensic investigation has now revealed that the
threat actors infected 3CX systems with a malware codenamed TAXHAUL
that’s designed to decrypt and load shellcode containing a “complex
downloader” labeled COLDCAT.
“On Windows, the attacker used DLL side-loading to achieve
persistence for TAXHAUL malware,” 3CX said[4]. “The persistence
mechanism also ensures the attacker malware is loaded at system
start-up, enabling the attacker to retain remote access to the
infected system over the internet.”
The company further said the malicious DLL (wlbsctrl.dll) was
loaded[5]
by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT[6]) service through
svchost.exe[7], a legitimate system
process.
macOS systems targeted in the attack are said to have been
backdoored using another malware strain referred to as SIMPLESEA, a
C-based malware that communicates via HTTP to run shell commands,
transfer files, and update configurations.
The malware strains detected within the 3CX environment have
been observed to contact at least four command-and-control (C2)
servers: azureonlinecloud[.]com, akamaicontainer[.]com,
journalide[.]org, and msboxonline[.]com.
UPCOMING WEBINAR
Learn to Secure the Identity Perimeter – Proven Strategies
Improve your business security with our upcoming expert-led
cybersecurity webinar: Explore Identity Perimeter strategies!
Don’t Miss Out – Save Your Seat![8]
3CX CEO Nick Galea, in a forum post[9]
last week, said the company is only aware of a “handful of cases”
where the malware was actually activated and that it’s working to
“strengthen our policies, practices, and technology to protect
against future attacks.” An updated[10] app[11] has since been made
available to customers.
It’s currently not determined how the threat actors managed to
break into 3CX’s network, and if it entailed the weaponization of a
known or unknown vulnerability. The supply chain compromise is
being tracked under the identifier CVE-2023-29059[12] (CVSS score: 7.8).
Found this article interesting? Follow us on Twitter [13] and LinkedIn[14] to read more exclusive
content we post.
References
- ^
supply
chain attack (thehackernews.com) - ^
attack
chain (thehackernews.com) - ^
Gopuram
(thehackernews.com) - ^
said
(www.3cx.com) - ^
loaded
(github.com) - ^
IKEEXT
(infosecwriteups.com) - ^
svchost.exe
(en.wikipedia.org) - ^
Don’t
Miss Out – Save Your Seat! (thehacker.news) - ^
forum
post (www.3cx.com) - ^
updated
(www.3cx.com) - ^
app
(www.3cx.com) - ^
CVE-2023-29059
(nvd.nist.gov) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/04/lazarus-sub-group-labyrinth-chollima.html
Latest News
- VIDEO.I.NG = 2 Live Crew – Banned In The U.S.A .This song, suddenly feeling very relevant. October 27, 2025
- America: Country in the Mirror – Talking About The Americans in the Mirror . We are what we eat indeed and Certainly What or Who we VOTE For ! October 27, 2025
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
