Mac and Windows versions of the 3CX communications app were compromised with malware and infected at least 97 users with information-stealing software. After a 3CX employee downloaded a compromised X_Trader installer, a hacker used a TAXHAUL launcher and COLDCAT downloader to perform DLL search order hijacking in the Windows 3CX build environment. In the macOS build server, the hacker utilized the POOLRAT backdoor and Launch Daemons. Mandiant believes that North Korean Lazarus APT is behind the data breach that is now believed to have struck multiple cryptocurrency companies. Lazarus used this same technique, involving cascading software supply chain compromises, to attack South Korean users of WIZVERA VeraPort in 2020. Mandiant further noted that Lazarus can create and utilize malware on Windows, macOS, and Linux operating systems.
Symantec’s Threat Hunter Team linked X_Trader supply chain attacks to more organizations in the US and UK energy industries, as well as two financial trading companies. The team noted North Korean-sponsored hackers have previously compromised critical infrastructure targets that were initially attacked for financial reasons. Anyone who may have downloaded the X_Trader installer is advised to not open the software for fear of additional supply chain attacks.