VoIP communications company 3CX has confirmed that a North Korean hacking group was responsible for a supply chain attack on its systems last month.
The group has been identified as UNC4736, and is associated with a high level of confidence with North Korea, according to Mandiant, the firm that carried out the investigation into the attack.
The attackers used malware known as Taxhaul, or TxRLoader, to infect 3CX systems. This allowed a second-stage malware downloader named Coldcat to be deployed. This malware was able to achieve persistence on compromised systems through DLL side-loading via legitimate Microsoft Windows binaries, making it more difficult to detect.
The malware was also able to automatically load during system start-up on all infected devices, which allowed the attackers remote access over the internet. Mac OS systems were also targeted in the attack and were backdoored with malware known as Simplesea.
Mandiant is still analyzing this malware to determine whether it overlaps with previously known malware families. The backdoor commands that the malware was able to support included shell command execution, file transfer, file execution, file management, and configuration updating.
After the incident was disclosed, 3CX advised customers to uninstall the impacted Electron desktop client from all Windows and Mac OS devices, and to immediately switch to the progressive web application (PWA) Web Client App, which provides similar features.
The company has not yet disclosed how the supply chain attack was conducted, but researchers have discovered that the attackers exploited a 10-year-old Windows vulnerability to camouflage the malicious DLLs bundling the payloads as legitimately signed. 3CX Phone System is used by over 600,000 companies worldwide and over 12 million users daily, with the customer list including high-profile companies and organizations such as American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers.
