A recent investigation by Symantec’s Threat Hunter Team has revealed that the Lazarus hacking group, notorious for its links to North Korea, breached not just 3CX, but also two critical infrastructure organizations in the power and energy sector, and two businesses involved in financial trading. The group used the X_TRADER application, which had been tampered with by the North Korean nexus actor, UNC4736.
While the impact of these intrusions is still unknown, more investigation is being carried out. The discovery has shed light on the breadth of the attack, which is likely to have more victims, and other trojanized packages may have been used.
Mandiant has previously disclosed that the compromise of 3CX’s desktop application was due to the X_TRADER supply chain breach. An employee downloaded the corrupted X_TRADER app, which contained a backdoor called VEILEDSIGNAL. This backdoor allowed the attackers to access the employee’s computer and credentials, which they then used to breach 3CX’s network and compromise the Windows and macOS build environments to insert malicious code.
The discovery of this second supply chain attack highlights Lazarus’s shift towards this technique to gain initial access to its targets’ networks. The X_TRADER application was a piece of trading software developed by Trading Technologies, which had been discontinued but was still available for download on the company’s website until last year.
Symantec’s breakdown of the infection chain revealed the deployment of the VEILEDSIGNAL modular backdoor, which can be injected into Chrome, Firefox, or Edge web browsers. This backdoor incorporated a process-injection module and a dynamic-link library (DLL) that connects to Trading Technologies’ website for command-and-control (C2).
Lazarus is known for financially motivated attacks and the compromise of X_TRADER serves as further evidence of this trend. For a country like North Korea which is buried under numerous sanction hacking like this not only give them financial benefit but also serves as a form of cyber espionage.
The investigation has brought to light the need for increased vigilance against supply chain attacks, especially those orchestrated by state-sponsored actors. The victims of this attack and others like it should take immediate steps to secure their networks and prevent further breaches.