UPDATE: Mandiant Initial Analysis of 3CXDesktopApp Supply Chain Attack Confirms North Korean Threat Actor

Context

On April 11, 2023, 3CX released the initial results of Mandiant’s incident response and investigation into the supply chain attack that compromised 3CXDesktopApp. According to the report, the activity is attributable to the North Korean threat group UNC4736.

Technical Details

According to Mandiant:

• “the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”) malware. When executed on Windows systems, TAXHAUL decrypts and executes shellcode located in a file named <machine hardware profile GUID>.TxR.0.regtrans-ms located in the directory C:\Windows\System32\config\TxR\.”
• “In this case, after decrypting and loading the shellcode contained within the file <machine hardware profile GUID>.TxR.0.regtrans-ms was a complex downloader which Mandiant named COLDCAT. It is worth noting, however, this malware differs from GOPURAM referenced in Kaspersky’s report.”
• “Mandiant also identified a MacOS backdoor, currently named SIMPLESEA, located at /Library/Graphics/Quartz (MD5: d9d19abffc2c7dac11a16745f4aea44f). Mandiant is still analysing SIMPLESEA to determine if it overlaps with another known malware family.”
• “On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker’s malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection.”

IOCs

Mandiant provided the following indicators of compromise (IOCs):