Lazarus, the prolific North Korean hacking group behind the cascading supply chain attacks targeting 3CX, used the trojanized X_TRADER application to compromise two critical infrastructures in the power and energy sectors. The organization and two other companies involved in financial transactions were also compromised.
The new findings are Symantec Threat Hunter Teamconfirms earlier allegations that the X_TRADER application compromise affected more organizations than 3CX.
Eric Chien, director of security response at Symantec, which is owned by Broadcom, said in a statement to The Hacker News that the attacks occurred between September 2022 and November 2022.
“At this time, the impact of these infections is unknown. Further investigation is needed and ongoing,” Cheng said. There may also be a package of
The development came after Mandiant revealed last month that the 3CX desktop application software breach was facilitated by another software supply chain breach targeting X_TRADER in 2022.
It is currently unknown how the North Korean nexus actor UNC4736 modified X_TRADER, a trading software developed by a company called Trading Technologies. The service was discontinued in April 2020, but was still available for download from the company’s website last year.
Mandiant’s investigation found that a backdoor (called VEILEDSIGNAL) inserted into the corrupted X_TRADER app allowed adversaries to gain access to employee computers and siphon credentials, which they used to compromise 3CX’s network and Moving laterally, Windows and macOS build an environment to inject malicious code.
The sprawling, interconnected attacks appear to have considerable overlap with previous North Korean-aligned groups and campaigns that have historically targeted cryptocurrency companies for financial gain. .
A Google Cloud subsidiary has assessed with “some confidence” that this activity is related to AppleJeus. His cybersecurity firm CrowdStrike previously attributed the attack to a Lazarus cluster that the company calls his Labyrinth Chollima.
In February 2022, Google’s Threat Analysis Group (TAG) linked the same adversarial group to a compromise of Trading Technologies’ website, offering an exploit kit leveraging a zero-day vulnerability in the then Chrome web browser. turned out to be
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
ESET’s analysis of different Lazarus Group campaigns has revealed a new Linux-based malware called SimplexTea that shares the same network infrastructure identified as being used in UNC4736, and that the 3CX hack was attributed to the North Korean threat. It further expanded the existing evidence that it was organized. actor.
“[Mandiant’s] Our findings about the second supply chain attack that led to the 3CX breach suggest that Lazarus may be increasingly shifting to this technique to gain initial access to targeted networks. ,” ESET malware researcher Marc-Etienne M.Léveillé told The Hacker News.
Compromise of the X_TRADER application further hints at the financial motivation of the attackers. Lazarus, also known as HIDDEN COBRA, is the collective name for multiple subgroups based in North Korea that engage in both espionage and cybercriminal activities on behalf of the Hermit Kingdom and evade international sanctions.
A breakdown of the infection chain by Symantec confirms the deployment of the VEILEDSIGNAL modular backdoor. It also includes a process injection module that can be injected into Chrome, Firefox, or Edge web browsers. This module contains a dynamic link library (DLL) that connects to Trading Technologies’ website for Command and Control (C2).
“The discovery that 3CX was compromised in another previous supply chain attack makes it very likely that more organizations will be affected by this campaign,” Symantec said. It turned out to be far more widespread than we thought.”
