North Korean Lazarus Group Linked to 3CX Supply Chain HackTools, Code Used to Hack 3CX Desktop Confirm Cyberespionage Group's Involvement
Security researchers have uncovered more evidence that the North Korean Lazarus Group is responsible for the software supply chain attack on 3CX, a voice and video calling desktop client used by major multinational companies.
Attribution to the Lazarus Group became evident during an analysis of the tools used in the attack, said cybersecurity firm Volexity, along with Sophos, CrowdStrike and others.
"The shellcode sequence appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus," Volexity said.
Sophos researchers also said the code previously had been seen in incidents attributed to the Lazarus Group.
"The code in this incident is a byte-to-byte match to those previous samples," Sophos said.
Researchers at CrowdStrike analyzed and reverse-engineered the code and identified the threat actor as Labyrinth Chollima, another name for Lazarus Group.
"Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023, campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA," CrowdStrike said.
Lazarus Group is suspected of carrying out a series of high-profile attacks, including the Sony Pictures hack of 2014 and the WannaCry ransomware attacks of 2017.
Since those attacks, U.S. government agencies, including the FBI, have issued regular warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime.
Florida-based 3CX said it is "trusted by 600,000+ companies" that have up to 12 million daily users in organizations that include Toyota, Mercedes-Benz, Coca-Cola, McDonald's and Britain's National Health Service.
3CX CEO Nick Galea said the company hired cybersecurity firm Mandiant, a subsidiary of Google, to investigate the incident.
Volexity says it identified public forum postings on 3CX's website that stated various endpoint detection and response and antivirus vendors had started to flag the malicious activity from software updates on March 22, 2023, though the company said the malicious activity likely began much earlier.
A user named Brendan D on March 22 posted about the issue on the 3CX forum, asking, "Is anyone else seeing this issue with other A/V vendors?" in a blog post titled, "Threat alerts from SentinelOne for desktop update initiated from the desktop client."
SentinelOne warned about the detection of examples of software exploitation, such as the penetration framework or shellcode, evasion, indirect command and code injection.
Several other users joined the conversation and commented about similar issues. A user named skuers called out 3CX to address the issue.
"While that would sound ideal, there's hundreds if not thousands of AV solutions out there, and we can't always reach out to them whenever an event occurs. We use the Electron framework for our app. Perhaps they are blocking some if its functionality?" a member from the 3CX support team responded.
The hack was traced to a vulnerable Electron software library file. Electron is an open-source framework for user interfaces. Hackers took pains to ensure the trojanized version of 3CX works normally. They injected malicious code into the Electron branch of the source code, rather than attempting to modify 3CX's proprietary code, wrote Sophos analyst Paul Ducklin.