Posted on April 24, 2023 at 7:57 AM

Lazarus hacking group compromised X_TRADER to target critical infrastructure

The North Korean hacking group, Lazarus, was attributed to the hacking campaign against 3CX. However, it appears as if the supply chain attack on 3CX was just one of the many exploits conducted by the group. The hackers also targeted the power and energy sectors as well as finance.

Lazarus group targets critical infrastructure

Besides conducting an exploit against 3CX, the Lazarus hacking group also targeted two critical infrastructure firms operating in the power and energy sector. They also targeted two businesses offering financial trading services through the trojanized X_TRADER application.

The new findings into the activity of this North Korean hacking group were revealed by Symantec’s Threat Hunter Team. The findings confirm earlier reports of the X_TRADER application being compromised and affecting more organizations beyond 3CX. However, the names of the other organizations targeted in the attack have not been revealed.

The director of security response at Symantec, Eric Chien, commented on this discovery, saying that the attacks in question happened between September 2022 and November 2022. Chien noted that the impact of these attacks is yet to be determined and that investigations were still ongoing. Chien noted that there might be more to the exploit on 3CX, with the extent of the damage being largely significant.

3CX hack attributed to X_TRADER

Last month, Mandiant published a report disclosing the breach on 3CX. In its report, the cybersecurity company said that the exploit on 3CX was enabled by another software supply chain attack on X_TRADER in 2022. At the time, an employee at the company downloaded a malicious software installer to their personal computer.

In its report, Mandiant said, “Investigations of the 3CX supply chain compromise has uncovered the initial intrusion vector: a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.”

It is yet to be determined how a North Korean threat actor infiltrated the X_TRADER trading software created by Trading Technologies. The service has been defunct since April 2020, but it remained available for download on the company’s website.

The investigation conducted by Mandiant also revealed that the backdoor known as VEILEDSIGNAL was installed into the malicious X_TRADER app, allowing the threat actor to obtain access to the employee’s computer and steal their credentials. The credentials were later used to hack the 3CX network and compromise macOS and Windows environments to install malicious code.

The recent supply chain attack on 3CX extends beyond the modus operandi of North Korean hacking groups. These groups are largely popular with targeting cryptocurrency companies and conducting attacks for financial gains.

Mandiant added that it was moderately confident that the hacking activity was associated with AppleJeus. AppleJeus is a persistent hacking campaign that targets companies operating in the crypto industry for financial gains. The CrowdStrike cybersecurity company had attributed the breach to Labyrinth Chollima.

Google’s Threat Analysis Group had attributed the compromise to the attack on the Trading Technologies website in February last year. At the time, hackers exploited a zero-day vulnerability within the Chrome web browser.

ESET researchers also analyzed the campaigns conducted by the Lazarus group. The analysis showed the existence of Linux-based malware known as SimplexTea, which shares a similar network infrastructure used by UNC4736. The research further proves that North Korean hackers did the exploit on 3CX.

The ESET researchers noted that the Mandiant report of a second supply chain attack that triggered the compromise of 3CX shows that the hacking group is leaning towards the technique to obtain initial access to the target networks.

The exploit on X_TRADER also shows that the hackers were financially motivated. Lazarus is a general term used as an umbrella for smaller hacking groups based in North Korea. The Lazarus hackers conduct espionage or cybercriminal activities on behalf of North Korea as the country faces heavy international sanctions.

The report by the Symantec research team on the infection chain shows that the VEILEDSIGNAL modular backdoor was deployed. It also incorporates a process-injection component within Chrome, Edge, and Firefox browsers.

The module also contains a dynamic-link library (DLL) linked to the Trading Technologies’ website for command and control. The Symantec researchers concluded that the hack on 3CX was because of another earlier supply chain attack that increased the likelihood of organizations being targeted by the campaign. Cybersecurity researchers believe that the breach at 3CX was broader than originally believed.