Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach
22.4.23 ICS The Hacker News
Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application.
The new findings, which come courtesy of Symantec's Threat Hunter Team, confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed.
Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022.
"The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized."
The development comes as Mandiant disclosed that the compromise of the 3CX desktop application software last month was facilitated by another software supply chain breach targeting X_TRADER in 2022, which an employee downloaded to their personal computer.
It's currently unclear how UNC4736, a North Korean nexus actor, tampered with X_TRADER, a piece of trading software developed by a company named Trading Technologies. While the service was discontinued in April 2020, it was still available for download on the company's website as recently as last year.
Mandiant's investigation has revealed that the backdoor (dubbed VEILEDSIGNAL) injected into the corrupted X_TRADER app allowed the adversary to gain access to the employee's computer and siphon their credentials, which were then used it to breach 3CX's network, move laterally, and compromise the Windows and macOS build environments to insert malicious code.
The sprawling interlinked attack appears to have substantial overlap with previous North Korea-aligned groups and campaigns that have historically targeted cryptocurrency companies and conducted financially motivated attacks.
The Google Cloud subsidiary has assessed with "moderate confidence" that the activity is linked to AppleJeus, a persistent campaign targeting crypto companies for financial theft. Cybersecurity firm CrowdStrike previously attributed the attack to a Lazarus cluster it calls Labyrinth Chollima.
The same adversarial collective was previously linked by Google's Threat Analysis Group (TAG) to the compromise of Trading Technologies' website in February 2022 to serve an exploit kit that leveraged a then zero-day flaw in the Chrome web browser.
ESET, in an analysis of a disparate Lazarus Group campaign, disclosed a new piece of Linux-based malware called SimplexTea that shares the same network infrastructure identified as used by UNC4736, further expanding on existing evidence that the 3CX hack was orchestrated by North Korean threat actors.
"[Mandiant's] finding about a second supply-chain attack responsible for the compromise of 3CX is a revelation that Lazarus could be shifting more and more to this technique to get initial access in their targets' network," ESET malware researcher Marc-Etienne M.Léveillé told The Hacker News.
The compromise of the X_TRADER application further alludes to the attackers' financial motivations. Lazarus (also known as HIDDEN COBRA) is an umbrella term for a composite of several subgroups based in North Korea that engage in both espionage and cybercriminal activities on behalf of the Hermit Kingdom and evade international sanctions.
Symantec's breakdown of the infection chain corroborates the deployment of the VEILEDSIGNAL modular backdoor, which also incorporates a process-injection module that can be injected into Chrome, Firefox, or Edge web browsers. The module, for its part, contains a dynamic-link library (DLL) that connects to the Trading Technologies' website for command-and-control (C2).
"The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed," Symantec concluded.