The recent supply-chain attack on VoIP software provider 3CX has made waves in the cybersecurity community due to the complex and lengthy nature of the intrusion. The attack has been likened to a cyberpunk spy novel, with North Korean hackers reportedly using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer, targeting Mac and Linux users working at defense and cryptocurrency firms. Researchers at ESET revealed that this apparent job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.
3CX, which claims to have more than 600,000 customers and 12 million users across a range of industries including aerospace, healthcare, and hospitality, disclosed in late March that its desktop applications for both Windows and macOS were compromised with malicious code. The code gave attackers the ability to download and run code on all machines where the app was installed.
The company hired incident response firm Mandiant, which released a report that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies. Mandiant found that the earliest evidence of compromise uncovered within 3CX’s network was through the virtual private network (VPN), using the employee’s corporate credentials, two days after the employee’s personal computer was compromised. The report also revealed that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus.
Mandiant discovered that the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files would reveal the location of the malware’s control server, which was then queried for a third stage of the malware compromise: a password stealing program dubbed ICONICSTEALER. The double supply chain compromise ensured that malware was pushed out to some 3CX customers, leaving the victims exposed to North Korean hackers.
Meanwhile, the security firm ESET published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.
LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy, and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated. Mandiant, Proofpoint, and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer.
Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty. Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”
ESET found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC. However, the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character, which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.
The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure. Experts expect many more victims to be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public. While the X_TRADER software had been decommissioned in April 2020, making it a less-than-ideal vector for the North Korean hackers to infect customers, it remains unclear whether the compromised software was downloaded by people at other software firms.