Forensic Analysis Confirms Involvement of North Korean Attackers in 3CX Supply Chain Attack

New malware discovered

• Attackers used Taxhaul (or TxRLoader) to target Windows machines, which was further used to deploy a second-stage payload called Coldcat.
• The backdoor used to target macOS machines has been named SIMPLESEA. Mandiant is yet to conclude if this is a new malware or has any overlaps with any existing malware family.

Attacks on Windows

• The decrypted shellcode is a downloader malware, dubbed Coldcat. The malicious files are saved at the location C:\Windows\System32\config\TxR\, in an attempt to disguise them for Windows installation files.
• The malware further used a unique cryptographic key for decryption for every targeted host machine. This prevents the execution of malware inside any sandbox or VM.
• In addition, the attacker used DLL sideloading to achieve persistence on the infected machine and ensure that the malware gets loaded at every restart.

Attacks on macOS

• It allows users to perform tasks such as management, execution, and transfer of files. Additionally, users can update the configurations, and execute shell commands. 
• It checks for the existence of a specific file (/private/etc/apdl[.]cf) that stores the configuration value (single-byte XOR encoded with the key 0x5e).
• It communicates with the C2, sharing a unique randomly generated bot ID, and a short survey report about the host.

Concluding notes