Coming from Symantec, a supply chain attack that previously targeted the network of enterprise communications service provider 3CX (read more here https://www.securitylab.ru/news/537385.php) also affected several critical infrastructures in European and US soil.
This attack is initially attributed to the Lazarus group. These actors infiltrated a software firm that claims hundreds of thousands of customers around the world in a cyberattack that showed quite advanced hacking capabilities. The breach of the software firm 3CX provided a potential foothold for the North Koreans into a huge swath of multinational firms – from hotel chains to health care providers – that use the firm’s software for voice and video calls.
They used a trojanized X_Trader software installer to deploy a multi-stage, modular VEILEDSIGNAL backdoor on victims' systems. Once installed, the malware can execute malicious shellcode and inject a C2 server communication module into Chrome, Firefox, or Edge processes. The C2 module creates a named pipe and listens for incoming messages, which it then sends to the C2 server.
Sources:
https://www.securitylab.ru/news/537385.php
https://www.securitylab.ru/news/537748.php
https://web.archive.org/web/2023042...-hacking-supply-chain-3cx-mandiant/index.html
https://web.archive.org/web/2023042...04/lazarus-xtrader-hack-impacts-critical.html
This attack is initially attributed to the Lazarus group. These actors infiltrated a software firm that claims hundreds of thousands of customers around the world in a cyberattack that showed quite advanced hacking capabilities. The breach of the software firm 3CX provided a potential foothold for the North Koreans into a huge swath of multinational firms – from hotel chains to health care providers – that use the firm’s software for voice and video calls.
They used a trojanized X_Trader software installer to deploy a multi-stage, modular VEILEDSIGNAL backdoor on victims' systems. Once installed, the malware can execute malicious shellcode and inject a C2 server communication module into Chrome, Firefox, or Edge processes. The C2 module creates a named pipe and listens for incoming messages, which it then sends to the C2 server.
Sources:
https://www.securitylab.ru/news/537385.php
https://www.securitylab.ru/news/537748.php
https://web.archive.org/web/2023042...-hacking-supply-chain-3cx-mandiant/index.html
https://web.archive.org/web/2023042...04/lazarus-xtrader-hack-impacts-critical.html
