3CX hack caused by trading software supply chain attack


An investigation into last month’s 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds.

“We suspect there are a number of organizations that don’t yet know they are compromised,” Mandiant Consulting CTO Charles Carmakal told BleepingComputer.

“We’re hopeful that once we get this information out, it’ll help accelerate the process for companies to determine that they’re compromised and contain their incidents.”

The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer, deployed the multi-stage modular backdoor VEILEDSIGNAL designed to execute shellcode, inject a communication module into Chrome, Firefox, or Edge processes, and terminate itself.

According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group (tracked as UNC4736) behind the attack stole corporate credentials from the employee’s device and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.

“On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges,” Mandiant said.

“The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism.”

The malware achieved persistence through DLL side-loading via legitimate Microsoft Windows binaries, which made it harder to detect.

It also automatically loaded during start-up, granting attackers remote access to all compromised devices over the internet.

UNC4736 double supply chain attackUNC4736 double supply chain attack (Mandiant)

Links to Operation AppleJeus

Mandiant says UNC4736 is related to the financially motivated North Korean Lazarus Group behind Operation AppleJeus [1, 2, 3], which was also linked by Google’s Threat Analysis Group (TAG) to the compromise of the www.tradingtechnologies[.] com website in a report from March 2022.

Based on infrastructure overlap, the cybersecurity firm also linked UNC4736 with two clusters of APT43 suspected malicious activity, tracked as UNC3782 and UNC4469.

“We determined UNC4736 is linked to the same North Korean operators based on the Trojanized X_TRADER app, distributed via the same compromised site mentioned in the TAG blog,” Fred Plan, Mandiant Principal Analyst for Google Cloud, told BleepingComputer.

“This, combined  with similarities in TTPs, and overlap on other infrastructure, gives us moderate confidence that these operators are tied together.”

The 3CX supply-chain attack

On March 29, 3CX acknowledged that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, one day after news of a supply chain attack surfaced

It took 3CX more than a week to react to customer reports that its software had been identified as malicious by several cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.

Nick Galea, the company’s CEO, also said after the attack’s disclosure that a ffmpeg binary used by the 3CX desktop client may have been the initial intrusion vector. However, FFmpeg denied Galea’s allegations, saying that it only provides source code that has not been compromised.

3CX advised customers to uninstall its Electron desktop client from all Windows and macOS devices (a mass-uninstall script can be found here) and immediately switch to the progressive web application (PWA) Web Client App provides similar features.

In response to 3CX’s disclosure, a team of security researchers created a web-based tool to assist the company’s customers in determining whether their IP address was potentially impacted by the March 2023 supply chain attack.

According to the company’s official website, the 3CX Phone System has over 12 million daily users and is utilized by more than 600,000 businesses globally, including high-profile organizations and companies like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers.

“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” Mandiant said.

“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

Update: Added link to 3CX incident update.


  • tmontney Photo tmontney – 2 days ago

    “The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer…”

    I can’t find anything in the Mandiant report that states it was from the employee’s personal machine. I take the above to indicate 3CX allows employee’s to access work resources from personally-owned (unaffiliated) machines.

    Regardless, this still underlines the importance of not mixing work and play. More specifically, that environments should enforce AppLocker/WDAC (or similar).

  • serghei Photo serghei – 2 days ago

    That info is from an incident update published by 3CX earlier today. Added a link to their blog post.

  • johnlsenchak Photo johnlsenchak – 2 days ago

    North Korea has about 1024 IP numbers with limited technology and fiber bandwidth from a China network I just don’t see how such a backwards country like North Korea could do something like this.

  • LIstrong Photo LIstrong – 12 hours ago

    3CX is in Cyprus and Russia. Another site says LinkedIn is involved. Is LinkedIn Connector – OAuth the vector? The U.S. Gov and other countries ban it so why does it default to enabled in O365 (Word/Options)? They’re using Connector to Hoover data to feed AI for their security app, but it doesn’t work. Don’t tell the US Gov or Wall St who is spending fervently on AI BS. Then again the DoD finally put a stop to an ongoing software project that they’ve already spent $10B on and it doesn’t work. So it’s no wonder they aren’t protecting us from this. But the economy cannot sustain these constant attacks.

    Is the grid about to get attacked because our Gov and Big tech have no self control? Mandiant is owned by Google.

    When non-technical people make technical decisions chaos ensues.

  • Krisjohn Photo Krisjohn – 2 days ago

    I think we need to get “supply chain” out of the discussion. A random software download included malware that was used to steal credentials, access a development environment and embed more malware in a company’s software.

    Initially calling it a supply chain attack was somewhat disingenuous at best and deliberately misleading at worst. A supply chain attack was literally the best case scenario at the time and it’s now doubtful that describing it that way was justified. It was a PR stunt, that mostly worked. My boss was like “whew, we can just wait until they’ve recompiled their app from different dependencies and it’ll be fine, since their environment wasn’t compromised”. Except their environment WAS compromised, so now what?

  • LIstrong Photo LIstrong – 12 hours ago

    Not a PR stunt. It’s foreshadowing.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.27 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,709 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,648 Downloads


Related posts

FBI seized domains linked to 48 DDoS-for-hire service platforms

Sarah Henriquez

FBI confirms BianLian ransomware switch to extortion only attacks

Sarah Henriquez

New ‘PowerDrop’ PowerShell malware targets U.S. aerospace industry

Sarah Henriquez

Leave a Comment