Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Two vital infrastructure firms in the power and energy sector and two other enterprises involved in financial transactions were also compromised by the North Korean hacker outfit Lazarus as part of the cascading supply chain attack targeting 3CX.

Symantec’s Threat Hunter Team has uncovered fresh information that lends credence to the hypothesis that more businesses than 3CX were compromised by the X_TRADER program. The groups were not identified by name.

ALSO, READ Lazarus Group Adds Linux Malware To Arsenal In Operation Dream Job

The attacks occurred between September and November of 2022, according to a statement released to The Hacker News by Eric Chien, director of security response at Broadcom-owned Symantec.

“The impact from these infections is unknown at this time – more investigation is required and is on-going,” Chien said, adding it’s possible that there’s “likely more to this story and possibly even other packages that are trojanized.”

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

The development comes as Mandiant disclosed that the compromise of the 3CX desktop application software last month was facilitated by another software supply chain breach targeting X_TRADER in 2022 after an employee downloaded the tainted software installer to their personal computer.

ALSO, READ Hack The Pentagon Site Promotes The Importance Of Bug Bounties To US Military

How the North Korean nexus actor UNC4736 interfered with the Trading Technologies’ X_TRADER software is presently unknown. The service was no longer offered after April 2020, but it was still downloadable from the company’s website as recently as the previous year.

According to Mandiant’s research, the malicious code was inserted into the Windows and macOS build environments via a backdoor (named VEILEDSIGNAL) that was injected into the compromised X_TRADER app. The backdoor allowed the attacker to gain access to the employee’s computer and steal their credentials.

ALSO, READ How Organizations Can Secure Clients’ Data From Hackers.

North Korea-aligned organisations and operations that have historically targeted bitcoin companies and performed financially motivated attacks appear to have major overlap with the massive interwoven attack.

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

The Google Cloud subsidiary has assessed with “moderate confidence” that the activity is linked to AppleJeus, a persistent campaign targeting crypto companies for financial theft. Cybersecurity firm CrowdStrike previously attributed the attack to a Lazarus cluster it calls Labyrinth Chollima.

The same adversarial collective was previously linked by Google’s Threat Analysis Group (TAG) to the compromise of Trading Technologies’ website in February 2022 to serve an exploit kit that leveraged a then zero-day flaw in the Chrome web browser.

ALSO, READ Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software

ESET, in an analysis of a disparate Lazarus Group campaign, disclosed a new piece of Linux-based malware called SimplexTea that shares the same network infrastructure identified as used by UNC4736, further expanding on existing evidence that the 3CX hack was orchestrated by North Korean threat actors.

“[Mandiant’s] finding about a second supply-chain attack responsible for the compromise of 3CX is a revelation that Lazarus could be shifting more and more to this technique to get initial access in their targets’ network,” ESET malware researcher Marc-Etienne M.Léveillé told The Hacker News.

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

The compromise of the X_TRADER application further alludes to the attackers’ financial motivations. Lazarus (also known as Hidden Cobra or Zinc) is an umbrella term for a composite of several subgroups based in North Korea that engage in both espionage and cybercriminal activities on behalf of the Hermit Kingdom as a way to evade international sanctions.

ALSO, READ Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

According to Symantec’s analysis of the infection chain, the VEILEDSIGNAL modular backdoor was utilized. This backdoor is capable of injecting itself into the Chrome, Firefox, and Edge web browser processes. The module’s command-and-control (C2) functionality is provided via a dynamic-link library (DLL) that communicates with Trading Technologies’ server.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” Symantec concluded.