On Thursday, 3CX, a manufacturer of software for business communications, confirmed that various editions of its desktop application for Windows and macOS have been targeted by a supply chain breach.
The Windows versions numbered 18.12.407 and 18.12.416, while the macOS versions were numbered 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.
The corporation has announced that it will be seeking the help of Mandiant, which is owned by Google, to investigate the matter. In the meantime, it is advising clients who use self-hosted and on-premise versions of its software to switch to version 18.12.422.
According to a post by 3CX CEO Nick Galea on Thursday, users of 3CX Hosted and StartUP do not have to manually update their servers as the company will take care of it overnight through automatic updates. The servers will then be restarted and the new Electron App MSI/DMG will be installed on them.
From the information gathered thus far, it appears that there are two possibilities as to how 3CX's software distributions for Windows and macOS have been compromised - either through an attack on their software building process or by contaminating a third-party source. The extent of the attack is currently uncertain.
According to a statement on the 3CX forum, it was discovered that potentially harmful activities began in March 22, 2023, but it is believed that the planning for this attack started as early as February 2022.
The company 3CX stated that they did not consider the first warning about a potential security issue in their application as valid since none of the antivirus programs on VirusTotal marked it as risky or containing harmful software.
The attack that was executed on Windows utilized a method known as DLL side-loading. This approach involved loading a deceitful library called ffmpeg.dll, which can read encrypted shellcode from another DLL labelled d3dcompiler_47.dll.
To perform the task, the individual had to enter a GitHub repository and obtain an ICO file that contained URLs with the ultimate-stage payload. This payload, known as ICONIC Stealer or SUDDENICON, has the ability to collect system information and important data stored in internet browsers.
According to Karlo Zanki, a security researcher at ReversingLabs, the selection of ffmpeg and d3dcompiler_47 by the attackers involved in this cyber attack was not a coincidental decision.
The 3CXDesktopApp's target is constructed using the open source Electron framework. The concerned libraries are usually included with the Electron runtime and hence, are not likely to be suspected in customer settings.
The process of the macOS attack went about in a similar way. By avoiding the notarization checks of Apple, it downloaded an unidentified payload from a server for command and control which is presently not working.
According to Volexity, the macOS version does not rely on GitHub for obtaining its C2 server, which is being monitored under the name UTA0040 cluster. Instead, a compiled list of C2 servers is saved in a file that is encoded with a single-byte XOR key of 0x7A.
CrowdStrike, a cybersecurity company, has confidently attributed the attack to Labyrinth Chollima (also known as Nickel Academy), a state-sponsored actor aligned with North Korea.
Rewritten paragraph: Labyrinth Chollima is believed to be responsible for an activity that affects various organizations across different verticals in a seemingly random manner. This attribution has been made based on the identification of network infrastructure that is distinctively linked to this adversary, as well as their consistent use of installation techniques and a recycled RC4 key, according to observations by Adam Meyers. The Hacker News talked to the senior vice president of intelligence at CrowdStrike.
The Trojanized 3CX application invoked a variant of the ArcfeedLoader malware uniquely attributed to Labyrinth Chollima.
The Texas-based company Labyrinth Chollima is a part of the Lazarus Group, which includes Silent Chollima (also known as Andariel or Nickel Hyatt) and Stardust Chollima (also known as BlueNoroff or Nickel Gladstone).
According to Meyers, the individual or group posing a threat has been operational since 2009 and mainly focuses on crypto and financial institutions for the purpose of generating income. The actual identity of the perpetrator is most likely linked to Bureau 121 of North Korea's Reconnaissance General Bureau (RGB) and carries out espionage activities primarily. Different methods to create income and generate money.