Context
On April 11, 2023, 3CX released the initial results of Mandiant’s incident response and investigation into the supply chain attack that compromised 3CXDesktopApp. According to the report, the activity is attributable to the North Korean threat group UNC4736.
Technical Details
According to Mandiant:
- “the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”) malware. When executed on Windows systems, TAXHAUL decrypts and executes shellcode located in a file named <machine hardware profile GUID>.TxR.0.regtrans-ms located in the directory C:\Windows\System32\config\TxR\.”
- “In this case, after decrypting and loading the shellcode contained within the file <machine hardware profile GUID>.TxR.0.regtrans-ms was a complex downloader which Mandiant named COLDCAT. It is worth noting, however, this malware differs from GOPURAM referenced in Kaspersky’s report.”
- “Mandiant also identified a MacOS backdoor, currently named SIMPLESEA, located at /Library/Graphics/Quartz (MD5: d9d19abffc2c7dac11a16745f4aea44f). Mandiant is still analysing SIMPLESEA to determine if it overlaps with another known malware family.”
- “On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker’s malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection.”
IOCs
Mandiant provided the following indicators of compromise (IOCs):
|
Indicator |
Type |
|
d9d19abffc2c7dac11 |
MD5 |
|
azureonlinecloud[.]com |
C2 Domain |
|
akamaicontainer[.]com |
C2 Domain |
|
journalide[.]org |
C2 Domain |
|
msboxonline[.]com |
C2 Domain |
