Forensic Analysis Confirms Inv...

A few days ago, VoIP IPBX software development company 3CX reported a supply chain attack, where attackers had targeted and infected the macOS and Windows versions of its desktop app. Further investigation revealed additional details of new malware and threat actor attribution.

New malware discovered

• The decrypted shellcode is a downloader malware, dubbed Coldcat. The malicious files are saved at the location C:\Windows\System32\config\TxR\, in an attempt to disguise them for Windows installation files.
• The malware further used a unique cryptographic key for decryption for every targeted host machine. This prevents the execution of malware inside any sandbox or VM.
• In addition, the attacker used DLL sideloading to achieve persistence on the infected machine and ensure that the malware gets loaded at every restart.

Attacks on macOS

• It allows users to perform tasks such as management, execution, and transfer of files. Additionally, users can update the configurations, and execute shell commands. 
• It checks for the existence of a specific file (/private/etc/apdl[.]cf) that stores the configuration value (single-byte XOR encoded with the key 0x5e).
• It communicates with the C2, sharing a unique randomly generated bot ID, and a short survey report about the host.

Concluding notes

Mandiant's comprehensive report provides further confirmation of the involvement of North Korean hackers in the recent 3CX attack. This corroborates previous findings by CrowdStrike, which had already linked the attack to the North Korean nexus known as LABYRINTH CHOLLIMA. In response, 3CX has proactively issued security guidelines and additional steps to safeguard the interests of impacted organizations. It is highly recommended that users follow these guidelines diligently to ensure their protection.