Google-owned Mandiant is investigating the breach and 3CX has released some information from the security firm’s initial analysis.
“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” 3CX said.
Mandiant found that the hackers targeted 3CX Windows systems with a piece of malware named Taxhaul (aka TxrLoader). Taxhaul uses DLL sideloading to achieve persistence and reduce the likelihood of detection. The malware is designed to deploy a downloader tracked by Mandiant as Coldcat.