North Korean hackers have been using a supply chain attack to target critical infrastructure organizations in the United States and Europe. The attack involves the use of a trojanized installer for X_Trader software to deploy the VEILEDSIGNAL multi-stage modular backdoor onto victims’ systems. Once installed, the malware can execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems.
The attack was first discovered in March 2023, when security researchers at Sophos and CrowdStrike began to see 3CX softphone clients being infected with malware. The researchers quickly determined that the malware was being installed through a trojanized installer for X_Trader software, a popular trading platform.
Symantec’s Threat Hunter Team later confirmed that the North Korean-backed threat group linked to the Trading Technologies and 3CX attacks also used the X_Trader supply chain attack to target critical infrastructure organizations.
Mandiant also confirmed this week that it is tracking the 3CX software supply chain attack as North Korean threat group UNC4736.
Software supply chain attacks quickly escalate in scope
The team found that the attackers had compromised at least four other entities besides 3CX, including two organizations in the United States and two organizations in Europe.
The 3CX and X_Trader supply chain attack has left many cybersecurity experts concerned that the actual victim list and impact have yet to be determined.
The attack is particularly concerning because it targets critical infrastructure organizations. These organizations are responsible for providing essential services such as power, water, and transportation. If these organizations were to be compromised by malware, it could have a devastating impact on the lives of millions of people.
How to defend against the 3CX and X_Trader Supply Chain Attack
Organizations that use the X_Trader software are advised to uninstall the impacted Electron desktop client from all Windows and macOS devices. They are also advised to immediately switch to the progressive web application (PWA) Web Client App providing similar features.
Symantec has listed the indicators of compromise, with recommended protection and mitigation steps on their corporate blog.
Mandiant outlines the tactics, techniques, and procedures for the X_Trader and 3CX software supply chain attacks on its blog post along with MITRE ATT&CK mappings.
