3XC, the provider of the popular Phone System VOIP/PBX software, had an issue with a trojanized version of the 3CX desktop app. With 600.000 customers in 190 countries waiting for answers, 3CX employed specialist Mandiant as the investigation team for the forensic analysis. Now the first findings are available that it is probably a North Korean APT group.
Based on Mandiant's previous investigation into the 3CX intrusion and supply chain attack, they assign the activity to a cluster called UNC4736. Mandiant believes with a high degree of certainty that UNC4736 has a North Korean connection.
Windows-based malware
Mandiant found that the attacker had infected targeted 3CX systems with TAXHAUL malware (aka "TxRLoader"). When run on Windows systems, TAXHAUL decrypts and executes shellcode contained in a file named .TxR.0.regtrans-ms located in the C:\Windows\System32\config\TxR\ directory. The attacker likely chose this filename and location to try to plug into standard Windows installations.
The malware uses the Windows CryptUnprotectData API to decrypt the shellcode using a cryptographic key that is unique to each compromised host, which means the data can only be decrypted on the infected system. The attacker likely made this design decision to increase the cost and effort of successful analysis by security researchers and investigators.
In this case, after decrypting and loading the in the file .TxR.0.regtrans-ms contained a complex downloader, which Mandiant called COLDCAT. However, it is worth noting that this malware is different from GOPURAM, which is referenced in Kaspersky's report (Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack) is referenced.
MacOS based malware
Mandiant has also identified a macOS backdoor currently named SIMPLESEA, located at /Library/Graphics/Quartz (MD5: d9d19abffc2c7dac11a16745f4aea44f). Mandiant is still analyzing SIMPLESEA to see if it overlaps with another known malware family.
Written in C, the backdoor communicates over HTTP. Supported backdoor commands include shell command execution, file transfer, file execution, file management, and configuration update. It can also be tasked to test connectivity of a provided IP and port number.
The backdoor checks for the existence of its configuration file at /private/etc/apdl.cf. If it doesn't exist, it will be created with hard-coded values. The configuration file is single-byte XOR encoded with key 0x5e. C2 communication is sent via HTTP requests. On first run, a bot ID is randomly generated using the malware's PID. The ID is sent with C2 connections. A short Host Survey Report is included with Beacon Requests. Message contents are encrypted using the A5 Stream Cipher according to the function names in the binary.
Further evaluation for experts
3CX offers an even more informal analysis of the results on its website. There is also more information about the individual protocols and YARA rules that will be used to search for TAXHAUL (TxRLoader).
More at 3CX.com
About 3CX
Founded in 2005 when VoIP was still an emerging technology, 3CX has since established itself as a global leader in business VoIP communications. Using the open SIP standard and WebRTC technology, 3CX has outgrown its phone system roots and evolved into a complete communications platform.