Concern over a North Korean cybercrime group spiked last week after researchers discovered that the hackers infiltrated a futures platform using trojan malware, then injected a similar trojan into telephone conference calling software.
The telephone system software company 3CX hired cybersecurity firm Mandiant to investigate a compromise
Trading Technologies customers include the largest banks, brokers, money managers, hedge funds and others, according to
Mandiant believes the hackers behind all the activity are associated with a North Korea-aligned threat actor it calls UNC4736. Other researchers have given the group other names, and the entity is most commonly known as
While researching the 3CX compromise, Mandiant found evidence that Lazarus Group had compromised the software development environment of Trading Technologies as early as 2021.
Mandiant researchers said this is the first time they have seen a supply chain attack — an attack on a company's development environment as a means of distributing malware to users — lead to another supply chain attack.
Google
X_Trader is "a niche product for trading exchange-listed derivatives," according to a spokeswoman for Trading Technologies. She said X_Trader users are institutional and professional traders rather than retail traders but did not specify the number of bank users.
Trading Technologies decommissioned X_Trader in April 2020, according to the spokeswoman, but the company kept a download for the software on its website — a practice among some software vendors to help support legacy users.
In April 2022, a 3CX employee downloaded the software, according to Mandiant. The copy of the software the 3CX employee downloaded worked like normal but secretly contained a trojan virus that allowed Lazarus Group to connect to the computer and remotely control it with little trace.
Trading Technologies is currently investigating just how long ago Lazarus Group inserted the trojan into the software that it hosted on its website, according to the company spokeswoman, and how exactly it happened.
Besides 3CX, additional users victimized by the X_Trader compromise include two critical infrastructure organizations in the energy sector, one American and the other European, according to the cybersecurity firm Symantec. Fallout from the events is expected to continue, according to Marius Fodoreanu, Mandiant principal consultant for Mandiant's parent company Google Cloud.
"We suspect there are a number of organizations that don't know they're compromised yet, and that new victims — like those
Chaining supply chain compromises, as Lazarus Group did in this case, is rare because it is difficult. For one, the sophistication required to compromise well-known software vendors in the first place is higher than average, according to Fodoreanu. For another, the more software that contains a group's malware, the more likely it is that a security researcher detects something fishy.
Still, organizations that Lazarus Group has compromised as part of this campaign could include other software vendors, Fodoreanu said.
"It is also likely that other software vendors might be compromised without knowing it to date, and we hope that this public sharing of information and indicators will help companies conduct threat-hunting to uncover potential undetected compromises using similar tactics, techniques and procedures."
Mandiant enumerated the indicators of compromise in
The trojan in the compromised version of X_Trader contains software that exploits two open source projects —
Once the malware established a connection between the victim computer and Lazarus Group's servers, the group could send shellcode that the malware could then execute.
