Mandiant has a high degree of confidence that the threat actor behind the supply chain attack on 3CX is North Korea-linked adversary, identified by the incident response firm as UNC4736, 3CX CISO Pierre Jourdan said in a blog post Tuesday.
The actor targeted 3CX systems with a Windows-based malware called Taxhaul, also known as TxRLoader, which decrypts and executes shellcode in a way designed to blend into standard Windows installations, Jourdan said.
The attribution comes as 3CX is in recovery mode, shoring up its product security and making plans to retain customers.
The company provides widely used communications apps that allow companies to make calls, send messages and conduct video conferences online. The firm says it has more than 600,000 business customers globally and 12 million daily active users.
3CX is planning a new release of its communications app that is focused on security, CEO Nick Galea said Tuesday.
The company is still urging customers to install a PWA Web app, whenever possible. It will include a busy lamp field panel in the dialer.
All web passwords will be hashed in the upgraded version. The web client password and the config file will no longer be included in the welcome email.
Beyond the security upgrades, 3CX officials are working to regain any lost sales momentum by offering incentives to product resellers. The company on Monday announced it would offer 15% cash back on 2023 sales as well as lowering partner revenue quotas and is extending the expiration dates of paid subscriptions.
Behind the execution
Using DLL side-loading to achieve persistence, the threat actor executed the malware in the context of legitimate Windows binaries, making it harder to detect. The malware loaded during system startup, which allowed the actor to maintain remote access to the infected system, Jourdan said.
After decrypting and loading the shellcode, the investigation identified a complex downloader that Mandiant named Coldcat. This, however, is not the same as the backdoor that Kasperky recently identified as Gopuram associated with the 3CX attack.
Mandiant also found a macOS backdoor called SimpleSea, which researchers are still investigating to determine whether there are links to known malware families, according to the blog.
The Mandiant findings appear to confirm prior warnings from CrowdStrike in March, when they linked the attack to a threat actor called Labyrinth Chollima, which has ties to the Democratic People’s Republic of Korea dating back to 2009.
Mandiant officials declined to comment on the findings, as the investigation into the attack is ongoing, according to a spokesperson.