Continued analysis of the supply chain attack at business communications provider 3CX has revealed a byte-by-byte match in code between that found in the trojanised 3CX program and North Korean state-sponsored hacking group Lazarus.
The revelation marks the first specific attribution for the attack. When first announced, the evidence simply pointed broadly to a North Korean threat actor.
Researchers from Sophos published the discovery, saying code found in the portable execution (PE) shellcode loader used in the 3CX attack has only ever been seen in attacks attributed to the Lazarus group.
"The code in this incident is a byte-to-byte match to those previous samples," it said in its blog post which was updated on Thursday evening.
3CX developers 'missed red flags'
Security researchers from ReversingLabs found that 3CX had missed signs that its client had been tampered with before releasing an update.
They compared two macOS installer packages, the last known safe version and the first known compromised version, and found several "red flags" that prompted a deeper investigation.
ReversingLabs said its own software indicated that a Microsoft digitally signed binary was modified after signing without breaking the signature integrity, something that could not happen by accident during the build process.
"Developers would have had to make a conscious choice to implement a change like this, and that would never happen for a software component they own," the researchers wrote.
"Other indicators of malicious intent were hard to come by as the malware hides itself as a statically linked function with ffmpeg library. But even without observing the malware execute, there are enough suspicious goings-on just in the diff between the two 3CXDesktopApp updates to warrant a deeper investigation."
The researchers added that there was "no sensible explanation" for their observation that RC4-encrypted shellcode was added to the signature appendix of the package's d3dcompiler and a reference to the compiler's library in the installer's ffmpeg library.
This process suggested to malicious activity had taken place, and was later proven in the attack's analysis.
ReversingLabs' analysis of the compromised package's metadata concluded that the attack was likely facilitated by a compromise of an open source repository, and that 3CX could have spotted this in the development process.
The company's researchers said they believe that a repository on which 3CX's Electron app relies was tampered with.
Such attack scenarios have become popular in recent years, with attacks on PyPI, PyTorch, and npm all making headlines.
The compromised DLL files, ffmpeg and d3dcopiler_47, are shipped with the Electron open source framework as standard and are unlikely to trigger alerts from security products.
Also, d3dcopiler_47 is signed with a Microsoft certificate, one that has no known reports of issues, meaning endpoint protection software, in most cases, would see it as safe.
"ReversingLabs' analysis of the modifications made to the company’s 3CXDesktopApp suggest that there were telltale signs of tampering with the company’s desktop client software prior to its release," it said in a blog post shared with ITPro.
"Had these signs been noticed during development, it should have triggered a closer analysis of the software release and, possibly, discovery of the breach and malicious code additions."
3CX CEO offers update
3CX's CEO Nick Galea revealed on 31 March that the company knew about the issue as far back as 22 March after it received an alert from SentinelOne.
Accelerate full-stack web and mobile app development
Three tips proven to help teams build modern apps faster
The company uploaded the supposedly malicious file to the VirusTotal malware detection platform to verify the report.
Galea said that the service didn’t show that the file had malware, even displaying an indicator from SentinelOne on the platform that it was fine. 3CX repeated this a week later on 29 March and received the same results.
3CX realised it had been breached later that day and has now recruited incident response specialist Mandiant to investigate the incident.
On 30 March, the company confirmed its desktop software had been tampered with, and said it could have been carried out by a state-sponsored attacker. Customers were encouraged to uninstall the app, and reinstall a version which wasn’t impacted by the malware.
