Eset Says Discovery Solidifies North Korea’s Ties to 3CX Attack
A North Korean backdoor targeting Linux desktop users shares infrastructure with the hacking group behind the 3CX software supply chain hack.
Security researchers from cybersecurity firm Eset analyzed the backdoor and connected it with a Pyongyang fake job recruiting campaign generally known as Operation Dream Job (see: North Korean Hackers Find Value in LinkedIn). North Korean hackers “can produce and use malware for all major desktop operating systems: Windows, macOS, and Linux,” Eset said.
North Korean hackers Trojanized the source code of desktop phone provider 3CX in an attack publicly disclosed in late March. Researchers from Mandiant earlier this week said they had traced the source of the infection to another software supply chain attack made against Trading Technologies, a Chicago developer of financial trading software. Researchers from Symantec on Friday said they have identified further victims of the Trading Technologies hack (see: Symantec: More X_Trader Supply Chain Attacks Uncovered).
Hackers disguised the Linux backdoor sample analyzed by Eset as a software development offer putatively extended by British multinational bank HSBC.
Anyone who double-clicked on the PDF offer letter would download a backdoor for the Linux operating system Eset dubs SimplexTea. Eset identified similarities between SimplexTea and an already-identified North Korean backdoor for Windows computers called Badcall – including the same set of domains used as a front for TLS connection.
The SimplexTea backdoor also used a custom implementation of the A5/1 cipher in Windows malware used by North Korean hackers to sabotage Sony Pictures in 2014 ahead of its release of “The Interview,” a comedy that ends by depicting the fiery helicopter death of North Korean hereditary dictator Kim Jong Un.
Eset further connects the backdoor to the 3CX hackers by saying that it and the malware downloaded by the Trojanized VoIP software share the same network infrastructure. Each uses
journalide.org as a command-and-control domain. SimplexTea and the 3CX malware also load their configurations in a very similar way.
Eset said the North Korean actors are Lazarus Group, although Mandiant identifies them as belonging likely to UNC4736, a financially motivated Pyongyang hacking activity also identified as AppleJeus.