Skip to main content
close search
site logo

3CX threat actor named as company focuses on security upgrades, customer retention

Mandiant attributed the supply chain attack to a North Korea-linked adversary that targeted systems using Windows-based malware.

Published April 12, 2023
David Jones's headshot
Reporter
Abstract planet made up of squares.
Gegham Qalajyan via Getty Images

Mandiant has a high degree of confidence that the threat actor behind the supply chain attack on 3CX is North Korea-linked adversary, identified by the incident response firm as UNC4736, 3CX CISO Pierre Jourdan said in a blog post Tuesday. 

The actor targeted 3CX systems with a Windows-based malware called Taxhaul, also known as TxRLoader, which decrypts and executes shellcode in a way designed to blend into standard Windows installations, Jourdan said.  

The attribution comes as 3CX is in recovery mode, shoring up its product security and making plans to retain customers.   

The company provides widely used communications apps that allow companies to make calls, send messages and conduct video conferences online. The firm says it has more than 600,000 business customers globally and 12 million daily active users. 

3CX is planning a new release of its communications app that is focused on security, CEO Nick Galea said Tuesday. 

The company is still urging customers to install a PWA Web app, whenever possible. It will include a busy lamp field panel in the dialer. 

All web passwords will be hashed in the upgraded version. The web client password and the config file will no longer be included in the welcome email. 

Beyond the security upgrades, 3CX officials are working to regain any lost sales momentum by offering incentives to product resellers. The company on Monday announced it would offer 15% cash back on 2023 sales as well as lowering partner revenue quotas and is extending the expiration dates of paid subscriptions. 

Behind the execution

Using DLL side-loading to achieve persistence, the threat actor executed the malware in the context of legitimate Windows binaries, making it harder to detect. The malware loaded during system startup, which allowed the actor to maintain remote access to the infected system, Jourdan said. 

After decrypting and loading the shellcode, the investigation identified a complex downloader that Mandiant named Coldcat. This, however, is not the same as the backdoor that Kasperky recently identified as Gopuram associated with the 3CX attack. 

Mandiant also found a macOS backdoor called SimpleSea, which researchers are still investigating to determine whether there are links to known malware families, according to the blog. 

The Mandiant findings appear to confirm prior warnings from CrowdStrike in March, when they linked the attack to a threat actor called Labyrinth Chollima, which has ties to the Democratic People’s Republic of Korea dating back to 2009. 

Mandiant officials declined to comment on the findings, as the investigation into the attack is ongoing, according to a spokesperson.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell