lazarusholic

Everyday is lazarus.dayβ

Security Update Mandiant Initial Results

2023-04-11, 3CX
https://www.3cx.com/blog/news/mandiant-initial-results/
#SupplyChain #YARA #UNC4736 #TAXHAUL #3CXDesktopApp #SmoothOperator

Contents

Initial Results from Mandiant Incident Response
Following the appointment of Mandiant as our security incident response team, forensic analysis on our network and product is in progress. In a nutshell, the interim assessment concluded:
Attribution
Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.
Windows-based Malware
Mandiant determined that the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”) malware. When executed on Windows systems, TAXHAUL decrypts and executes shellcode located in a file named <machine hardware profile GUID>.TxR.0.regtrans-ms located in the directory C:\Windows\System32\config\TxR\. The attacker likely chose this file name and location to attempt to blend into standard Windows installations. The malware uses the Windows CryptUnprotectData API to decrypt the shellcode with a cryptographic key that is unique to each compromised host, which means the data can …

IoC

d9d19abffc2c7dac11a16745f4aea44f
http://akamaicontainer.com
http://azureonlinecloud.com
http://journalide.org
http://msboxonline.com
rule TAXHAUL
{
meta:
author = "Mandiant"
created = "04/03/2023"
modified = "04/03/2023"
version = "1.0"
strings:
$p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}
$p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}
condition:
uint16(0) == 0x5A4D and any of them
}