Summary:
Symantec researchers reported that the campaign conducted by North Korea-linked threat actors that included the 3CX supply chain attack also hit two critical infrastructure organizations in the energy sector.

“The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe.” reports Symantec. “It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures.”

The researchers also state that two other organizations involved in financial trading were also breached.

Analyst comments:
North Korea APT groups are known to carry out both cyber espionage campaigns and financially motivated attacks, for this reason, the compromise of critical infrastructure is worrisome.

“The attack chain analyzed by Symantec commences with the Trojanized installer named X_TRADER_r7.17.90p608[.]exe. The executable file is digitally signed by “Trading Technologies International, Inc.” and contains a malicious executable named Setup[.]exe. The malware employed in the attack achieves persistence by invoking a CLSID_TaskScheduler COM object, attempting to create a scheduled task to run periodically the file TpmVscMgrSvr[.]exe” (Security Affairs, 2023).

X_Trader was discontinued in 2020, but is still available for download on the company’s website. Downloading this legitimate X_Trader executable results in the side-loading of two malicious DLLs.

The researchers note that the discovery of organizations breached before 3CX means there are are likely more organizations impacted by this supply chain attack. The impacts of this attack could be more widespread than initially thought. “The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out.” Symantec provided indicators of compromise for this campaign.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/
https://securityaffairs.com/145133/breaking-news/north-korea-apt-3cx-critical-infrastructure.html