North Korean threat actors have been identified as the perpetrators behind the recent supply chain attack on enterprise communications service provider 3CX’s desktop application for Windows and macOS.

Mandiant’s interim assessment

Google-owned Mandiant conducted an interim assessment after 3CX enlisted its services when the intrusion surfaced late last month. The threat intelligence and incident response unit is monitoring the activity under the uncategorized designation UNC4736. Interestingly, cybersecurity firm CrowdStrike has linked the attack to a Lazarus sub-group called Labyrinth Chollima, based on tactical similarities.

The attack chain, as analyzed by multiple security vendors, involved using DLL side-loading techniques to load an information stealer known as ICONIC Stealer. A second-stage attack called Gopuram selectively targeted crypto companies. Mandiant’s forensic investigation has now disclosed that the threat actors infected 3CX systems with a malware named TAXHAUL, designed to decrypt and load shellcode containing a “complex downloader” labeled COLDCAT.

According to 3CX, the attacker used DLL side-loading to achieve persistence for the TAXHAUL malware on Windows systems. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to maintain remote access to the infected system via the internet.

The company also revealed that the malicious DLL (wlbsctrl.dll) was loaded by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT) service through svchost.exe, a legitimate system process.

macOS systems compromised with SIMPLESEA malware

macOS systems targeted in the attack were reportedly backdoored using another malware strain called SIMPLESEA, a C-based malware that communicates via HTTP to execute shell commands, transfer files, and update configurations.

The malware families found within the 3CX environment are known to contact at least four command-and-control (C2) servers: azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.

3CX CEO Nick Galea mentioned in a forum post last week that the company is only aware of a “handful of cases” where the malware was activated. He also stated that 3CX is working to “strengthen our policies, practices, and technology to protect against future attacks.” An updated app has since been released to customers.

It remains unclear how the threat actors gained access to 3CX’s network and whether they exploited a known or unknown vulnerability. The supply chain compromise is being tracked under the identifier CVE-2023-29059 (CVSS score: 7.8).