A few days ago, VoIP IPBX software development company 3CX reported a supply chain attack, where attackers had targeted and infected the macOS and Windows versions of its desktop app. Further investigation revealed additional details of new malware and threat actor attribution.
New malware discovered
Mandiant published an interim report based on the forensic analysis, which revealed that the UNC4736 group had infected 3CX systems with multiple malware strains, along with Gopuram and AppleJeus malware. - Attackers used Taxhaul (or TxRLoader) to target Windows machines, which was further used to deploy a second-stage payload called Coldcat.
- The backdoor used to target macOS machines has been named SIMPLESEA. Mandiant is yet to conclude if this is a new malware or has any overlaps with any existing malware family.
Attacks on Windows
Once executed, the Taxhaul malware decrypts the shellcode located on the machine using Windows API and runs it.
- The decrypted shellcode is a downloader malware, dubbed Coldcat. The malicious files are saved at the location C:\Windows\System32\config\TxR\, in an attempt to disguise them for Windows installation files.
- The malware further used a unique cryptographic key for decryption for every targeted host machine. This prevents the execution of malware inside any sandbox or VM.
- In addition, the attacker used DLL sideloading to achieve persistence on the infected machine and ensure that the malware gets loaded at every restart.
Attacks on macOS
The macOS backdoor SIMPLESEA is written in C language and communicates with the C2 server via HTTP.
- It allows users to perform tasks such as management, execution, and transfer of files. Additionally, users can update the configurations, and execute shell commands.
- It checks for the existence of a specific file (/private/etc/apdl[.]cf) that stores the configuration value (single-byte XOR encoded with the key 0x5e).
- It communicates with the C2, sharing a unique randomly generated bot ID, and a short survey report about the host.
Concluding notes
Mandiant's comprehensive report provides further confirmation of the involvement of North Korean hackers in the recent 3CX attack. This corroborates previous findings by CrowdStrike, which had already linked the attack to the North Korean nexus known as LABYRINTH CHOLLIMA. In response, 3CX has proactively issued security guidelines and additional steps to safeguard the interests of impacted organizations. It is highly recommended that users follow these guidelines diligently to ensure their protection.