Unc4736

Threat Actor updated 5 months ago (2024-05-04T17:52:36.164Z)
Download STIX
Preview STIX
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst to the user, UNC4736 had previously breached Trading Technologies' systems and inserted a backdoor into the X_TRADER app's installation file. This allowed the group to gain access to the employee's 3CX administrator credentials, which they used to infiltrate the company's network environment via a VPN connection and move laterally within the system. The incident response group Mandiant, part of Google Cloud, attributed the 3CX campaign to UNC4736. CrowdStrike, a threat intelligence firm, also tracks this group under the codename "Labyrinth Chollima," more commonly known as Lazarus Group. Notably, elements of this group were reportedly behind the X_TRADER supply chain attack discovered earlier in the year. Furthermore, Mandiant attributes both supply chain attacks to North Korean criminals tracked as UNC4736, suggesting that this is not a new group but likely related to another financially motivated North Korean operation known as AppleJeus. The UNC4736 group successfully compromised both 3CX’s Windows and macOS build environments, reinforcing the assessment of its North Korean nexus. This connection was further supported by ESET's discovery of an overlapping command-and-control (C2) domain employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job. The original compromise of Trading Technologies occurred at least a year ago, with a malicious X_TRADER software package available for download on the financial trading business’s website in early 2022.
Description last updated: 2024-05-04T16:16:33.363Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Labyrinth Chollima is a possible alias for Unc4736. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by var
2
Lazarus Group is a possible alias for Unc4736. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over th
2
AppleJeus is a possible alias for Unc4736. AppleJeus is a notorious malware attributed to the North Korean hacker group, also known as Citrine Sleet. This group gained notoriety by distributing versions of AppleJeus malware primarily targeting cryptocurrency traders. The malware has evolved over time, with multiple versions being identified,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Mandiant
Korean
3cx
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Unc4736 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more