Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.
The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker UNC4736.
Mandiant’s forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that’s designed to decrypt and load shellcode containing a “complex downloader” labeled COLDCAT.
“On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware,” 3CX said. “The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet.”
macOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.
The malware strains detected within the 3CX environment have been observed to contact at least four command-and-control (C2) servers: azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.
Source: https://thehackernews.com/
