Lazarus and the 3CX Double Software Supply Chain Attack

2023-05-02 Avertium

https://explore.avertium.com/resource/lazarus-and-the-3cx-double-supply-chain-attack

Thumbnail for Lazarus and the 3CX Double Software Supply Chain Attack

The 3CX compromise is presented as a Lazarus-linked double software supply-chain incident: a trojanized X_TRADER application gave UNC4736 access to a 3CX employee system, enabling lateral movement into 3CX Windows and macOS build environments and malicious code injection into the desktop app. The source ties the intrusion to North Korean activity through Mandiant, ESET, and Kaspersky reporting, including VEILEDSIGNAL, POOLRAT/SIMPLESEA discussion, Gopuram deployment to some customers, and C2 overlap with SimplexTea. It also links the 3CX operation to Lazarus Operation DreamJob tradecraft, where a fake HSBC job-offer lure for Linux users delivered the SimplexTea backdoor via cloud storage.

Indicators of Compromise

Type Value First Seen Last Seen
HASH cc307cfb401d1ae616445e78b610ab7… 2023-04-20 2025-12-17
HASH 5e40d106977017b1ed235419b1e59ff… 2021-02-18 2025-09-01
HASH 492a643bd1efdaca4ca125ade1b606e… 2023-04-20 2024-12-27
DOMAIN security.com 2020-08-05 2024-11-11
HASH 451c23709ecd5a8461ad060f6346930c 2023-04-20 2023-10-05
HASH 3a63477a078ce10e53dfb5639e35d74… 2023-04-20 2023-05-09
HASH 9d8bade2030c93d0a010aa57b90915e… 2023-04-20 2023-05-09
HASH 3cf7232e5185109321921046d039cf10 2023-04-20 2023-05-09
HASH aac5a52b939f3fe792726a13ff7a1747 2023-04-20 2023-05-09
HASH 0ca1723afe261cd85b05c9ef424fc50… 2023-04-20 2023-05-09
HASH f6760fb1f8b019af2304ea6410001b6… 2023-04-20 2023-05-09
HASH fc41cb8425b6432af8403959bb59430d 2023-04-20 2023-05-09
DOMAIN journalide.org 2023-03-29 2023-05-09
HASH 5a07b09eea34d7faa9c37e2806a556c… 2023-05-02 2023-05-02
HASH c01dc42f65acaf1c917c0cc29ba63adc 2023-05-02 2023-05-02
HASH af2bc70f1c97a2f583f7b87aea3c8a6c 2023-05-02 2023-05-02
HASH ea31e626368b923419e8966747ca334… 2023-05-02 2023-05-02
HASH 2acc6f1d4656978f4d503929b8c8045… 2023-04-20 2023-05-02
HASH d288766fa268bc2534f85fd06a5d522… 2023-04-20 2023-05-02
HASH 7491bd61ed15298ce5ee5ffd01c8c82… 2023-04-20 2023-05-02
HASH 58b0516d28bd7218b1908fb266b8fe7… 2023-04-20 2023-05-02
HASH eebb01932de0b5605dd460cc82844d8… 2023-04-20 2023-05-02
HASH cedb9cdbad254f60cfb215b9bff84fb9 2023-04-20 2023-05-02
HASH 1c66e67a8531e3ff1c64ae57e6edfde… 2023-04-20 2023-05-02
HASH dcef83d8ee080b54dc54759c59f955e… 2023-04-20 2023-05-02
HASH 6426fe4dc604c7f1784ed1d48ab4ffc8 2023-03-31 2023-05-02
HASH 3b88cda62cdd918b62ef5aa8c5a73a4… 2023-03-30 2023-05-02
HASH aa4e398b3bd8645016d8090ffc77d15… 2023-03-30 2023-05-02
HASH cad1120d91b812acafef7175f949dd1… 2023-03-29 2023-05-02
HASH 76111d9780b2d0b5adee61cf752d937e 2022-12-01 2023-05-02
HASH 9352625b3e6a3c998e328e11ad43efb… 2022-12-01 2023-05-02
HASH 5b03294b72c0caa5fb20e7817002c60… 2022-12-01 2023-05-02
HASH 4257bb11570ed15b8a15aa3fc051a58… 2021-12-02 2023-05-02
HASH 9e4d9edb07c348b10863d89b6bb08141 2017-12-21 2023-05-02
HASH 65122e5129fc74d6b5ebafcc3376aba… 2017-12-21 2023-05-02
HASH e2ecec43da974db02f624ecadc94baf… 2014-12-17 2023-05-02
HASH 760c35a80d758f032d02cf4db12d3e55 2014-12-04 2023-05-02

Related Reports

2023-04-20 • 61% Match
#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 1 IOC • Published within a month
« Back