At least 2 critical infrastructure orgs breached by North Korea-linked hackers behind 3CX attack

North Korea-linked APT group behind the 3CX supply chain attack also broke into two critical infrastructure organizations in the energy sector.

Symantec researchers reported that the campaign conducted by North Korea-linked threat actors that included the 3CX supply chain attack also hit two critical infrastructure organizations in the energy sector.

“The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe.” reports Symantec. “It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures.”

The researchers also state that two other organizations involved in financial trading were also breached.

North Korea APT groups are known to carry out both cyber espionage campaigns and financially motivated attacks, for this reason, the compromise of critical infrastructure is worrisome.

The attack chain analyzed by Symantec commences with the Trojanized installer named X_TRADER_r7.17.90p608.exe. The executable file is digitally signed by “Trading Technologies International, Inc.” and contains a malicious executable named Setup.exe.

The malware employed in the attack achieves persistence by invoking a CLSID_TaskScheduler COM object, attempting to create a scheduled task to run periodically the file TpmVscMgrSvr.exe.

The X_Trader application was retired in 2020, but users can still download it from the company’s website.

Upon installing the legitimate X_Trader executable, it side-loads the two malicious DLLs dropped by the installer.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed.” concludes the report. “The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out.”

Symantec provided indicators of compromise for this campaign.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)