Two Connected Software Supply Chain Attacks Lead to 3CX Compromise

Written by

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible.

According to security researchers at Mandiant, the initial compromise was traced back to malware from financial software firm Trading Technologies’ website.

The first attack saw hackers place a backdoor into an application available on the website known as X_Trader 1. That infected app, later installed on the computer of a 3CX employee, allowed the hackers to spread their access through 3CX’s network.

Writing in an advisory published earlier today, Mandiant said this would be the first observed instance of one software supply chain attack leading to another.

“In late March 2023, a software supply chain compromise spread malware via a trojanized version of 3CX’s legitimate software that was available to download from their website,” wrote Mandiant’s Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov and Marius Fodoreanu.

“[The attack] shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

The security experts said the affected versions of 3CX were DesktopApp 18.12.416 and earlier, which contained malicious code.

Read more on 3CX-targeted malware: North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks

“[The code] ran a downloader, Suddenicon, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub,” reads the technical write-up.

The decrypted C2 server was then used to download a third-stage payload called Iconicstealer, a data miner that steals browser information. 

Mandiant said the team is currently tracking this malicious activity as UNC4736, a suspected North Korean nexus cluster of activity.

“UNC4736 demonstrates varying degrees of overlap with multiple North Korean operators tracked by Mandiant Intelligence, especially with those involved in financially-motivated cybercrime operations,” reads the company’s report.

“These clusters have demonstrated a sustained focus on cryptocurrency and fintech-related services over time.”

The Mandiant advisory comes a few months after the UK National Cybersecurity Centre (NCSC) unveiled recommendations to help medium and large enterprises map their supply chain dependencies.

What’s hot on Infosecurity Magazine?